提供参数时查询不起作用
[英]Query doesn't work when parameter's are provided
问题描述
This Works just fine 
这很好
conn = DatabaseConnection.getConnection();
stmt = conn.prepareStatement("SELECT * FROM Persons ORDER by firstName Desc");
rs = stmt.executeQuery();
But this one doesn't work 但是这个不起作用
conn = DatabaseConnection.getConnection();
stmt = conn.prepareStatement("SELECT * FROM Persons ORDER by ? ?");
stmt.setString(1, "firstName");
stmt.setString(2, "Desc");
rs = stmt.executeQuery();
Not sure why this would not work. 不知道为什么这行不通。 Both my parameters are variables and that's the reason I would want to set it explicitly. 我的两个参数都是变量,这就是我要明确设置它的原因。
2 个解决方案
解决方案1
0 2015-10-19 22:56:26
Placeholders (?) in prepared statements are used for column replacement. 准备好的语句中的占位符(?)用于列替换。 You cannot set the 'DESC' attribute of ORDER BY using setString method. 您不能使用setString方法设置ORDER BY的'DESC'属性。
From PreparedStatement setString javadocs : 从PreparedStatement setString javadocs :
* Sets the designated parameter to the given Java <code>String</code> value. * The driver converts this * to an SQL <code>VARCHAR</code> or <code>LONGVARCHAR</code> value * (depending on the argument's * size relative to the driver's limits on <code>VARCHAR</code> values) * when it sends it to the database.
In case you want to take the ORDER as a parameter to your DAO method then simply use String replacement in the query. 如果要将ORDER用作DAO方法的参数,则只需在查询中使用字符串替换即可。 Maybe like this: 也许是这样的:
public myDAOMethod(String firstName, String order) {
String query = "SELECT * FROM Persons ORDER by ? " + order;
conn = DatabaseConnection.getConnection(query);
stmt = conn.prepareStatement();
stmt.setString(1, "firstName");
rs = stmt.executeQuery();
}
解决方案2
0 2015-10-19 23:02:03
Actually your query converted into something like in case of prepared statement: 实际上,您的查询转换为类似预准备语句的情况:
SELECT * FROM Persons ORDER by 'firstname' 'Desc'
This behaviour provides protection against SQL injection. 此行为可防止SQL注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.