Java Sql更新语句。 处理引号中的空值
[英]Java Sql Update Statement. Dealing with a Null in quotes
问题描述
I have a java program executing a SQL UPDATE to a table: 
我有一个Java程序执行对表的SQL UPDATE:
String qry = "UPDATE [Artists] SET [Website] = '" + artist.getWebsite() + "' WHERE [ID] = " + artist.getID() + "'";
If artist.getWebsite() is null it is inserting the string 'null' because of the quotes when I want to just leave it as a SQL NULL. 如果artist.getWebsite()为null,则由于要用引号将字符串'null'插入,而我只想将其保留为SQL NULL。 But I need the quotes as most of the time artist.getWebsite() returns a string. 但是我需要引号,因为artist.getWebsite()在大多数情况下都返回一个字符串。 What is the easiest way of dealing with this? 解决这个问题最简单的方法是什么?
3 个解决方案
解决方案1
2 已采纳 2015-03-21 13:47:57
Don't. 别。 Use. 采用。 String. 串。 Concatenation. 级联。 To. 至。 Build. 建立。 SQL. SQL。 Statements. 声明。 There are several reasons for this, not least this one: 造成这种情况的原因有很多,尤其是以下原因:
...and nulls are one of those reasons. ...空值是这些原因之一。 More: http://bobby-tables.com It's also really easy to get confused when doing it (your example has an extra ' at the end, for instance). 更多信息: http : //bobby-tables.com这样做也很容易引起混淆(例如,您的示例在末尾有一个额外的' )。
Let's ignore null for a moment: What if the value you're putting in the string contains ' ? 让我们暂时忽略null :如果您要在字符串中输入的值包含' ? Now you have a broken SQL string. 现在,您的SQL字符串已损坏。
Instead, use a PreparedStatement : 而是使用PreparedStatement :
PreparedStatement ps = conn.prepareStatement(
"UPDATE [Artists] SET [Website] = ? WHERE [ID] = ?"
);
ps.setString(1, artist.getWebsite());
ps.setInt(2), artist.getID());
Note that there are no quotes around the ? 请注意, ?周围没有引号? where we're going to put the string; 我们将把字符串放在哪里; PreparedStatement handles correctly quoting and escaping the content for you. PreparedStatement为您正确引用和转义内容。
I think setString lets you set null s, but I haven't done JDBC stuff in a while. 我认为 setString可以让您设置null ,但是我已经有一段时间没有做JDBC了。 For non-String columns, you'd use setNull ; 对于非字符串列,您可以使用setNull ; you may need a branch if setString isn't happy to do it, eg: 如果setString不满意,您可能需要一个分支,例如:
PreparedStatement ps = conn.prepareStatement(
"UPDATE [Artists] SET [Website] = ? WHERE [ID] = ?"
);
String web = artist.getWebsite();
if (web == null) {
ps.setNull(1, JDBCType.NVARCHAR);
} else {
ps.setString(1, web);
}
ps.setInt(2), artist.getID());
...but give setString a go first. ...但是setString吧。
解决方案2
0 2015-03-21 13:44:52
Use ..NULLIF('" + artist.getWebsite() + "', ''NULL''... when doing and update. More about operator: https://msdn.microsoft.com/en-us/library/ms177562.aspx 进行和更新时使用..NULLIF('" + artist.getWebsite() + "', ''NULL''...有关运算符的更多信息: https : //msdn.microsoft.com/zh-cn/library/ ms177562.aspx
This would return actual NULL 这将返回实际的NULL
SELECT NULLIF('NULL', 'NULL')
解决方案3
0 2015-03-21 13:49:03
If you use JDBC you should always try to use prepared statements instead of just concatenating the statement manually. 如果使用JDBC,则应始终尝试使用准备好的语句,而不仅仅是手动连接该语句。 In particular, using the setNull() method on the prepared statement will insert a SQL NULL into the query. 特别是,在准备好的语句上使用setNull()方法会将SQL NULL插入查询。
Using prepared statements also helps you protect your application from SQL injection attacks. 使用准备好的语句还可以帮助您保护应用程序免受SQL注入攻击。
Please see the following link: http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html 请参见以下链接: http : //docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.