在JDBC中转义单引号(出现错误:SQL语法中有错误……)
[英]Escape single quotes in JDBC (getting error: You have an error in your SQL syntax …)
问题描述
I'm trying to insert data into mysql using jdbc. 
我正在尝试使用jdbc将数据插入mysql。 I have something like this: 我有这样的事情:
Connection conn = DriverManager.getConnection(urlDB, userDB, passwordDB);
String postTitle = "Post title";
String postContent = "A Linux's distributions";
String sql = "INSERT INTO posts VALUES ( '"+postTitle+"', '"+postContent+"')";
PreparedStatement statement = conn.prepareStatement(sql);
statement.executeUpdate();
conn.close();
But I'm getting an error: 但是我遇到一个错误:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's
As far as I know the prepareStatement method should escape single quotes (Мaybe I'm wrong). 据我所知,prepareStatement方法应转义单引号(М,我错了)。 I'll be glad for any suggestions. 我会很高兴提出任何建议。
3 个解决方案
解决方案1
3 已采纳 2015-05-26 11:02:35
To use prepared statements correctly, you need to use parameter placeholders ( ? ) and set the values on the statement. 要正确使用准备好的语句,您需要使用参数占位符( ? )并在语句上设置值。 This will automatically give you protection against SQL injection. 这将自动为您提供防止SQL注入的保护。
You need to change your code to: 您需要将代码更改为:
String sql = "INSERT INTO posts VALUES (?, ?)";
try (PreparedStatement statement = conn.prepareStatement(sql)) {
statement.setString(1, postTitle);
statement.setString(2, postContent);
statement.executeUpdate();
}
See also JDBC Basics - Using Prepared Statements for examples of how to use PreparedStatement . 有关如何使用PreparedStatement示例,另请参见JDBC基础-使用预处理语句 。
I have also changed your code to use try-with-resources, as this will always close the statement correctly (even if an exception occurs), which the code in your question does not. 我还更改了您的代码以使用try-with-resources,因为这将始终正确关闭语句(即使发生异常),而您问题中的代码也不会。
Note that it would be better if you explicitly specify the columns you are inserting to. 请注意,最好是显式指定要插入的列。 This protects your code against columns changing order or new - optional - columns added: 这样可以保护您的代码,以防止列更改顺序或添加新的(可选的)列:
INSERT INTO posts(title, content) VALUES (?, ?)
解决方案2
2 2015-05-26 10:32:26
You shouldn't use concatenation for inserting parameter values in a SQL query. 您不应该使用串联在SQL查询中插入参数值。 Use question marks and set* methods. 使用问号和set *方法。 This will ensure escaping. 这将确保逃生。
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)
See the docs: https://docs.oracle.com/javase/8/docs/api/java/sql/PreparedStatement.html 请参阅文档: https : //docs.oracle.com/javase/8/docs/api/java/sql/PreparedStatement.html
解决方案3
0 2015-05-26 10:52:24
replace 更换
String sql = "INSERT INTO posts VALUES ( '"+postTitle+"', '"+postContent+"')";
with 与
String sql = "INSERT INTO posts VALUES ( '"+postTitle.replace("'","''")+"', '"+postContent.replace("'","''")+"')";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.