ORA-00917:逗号缺失-插入查询失败
[英]ORA-00917: missing comma - Insert query failed
问题描述
I'm trying to create insert query in JSP page as follows 
我正在尝试在JSP页面中创建插入查询,如下所示
try
{
Class.forName("oracle.jdbc.driver.OracleDriver");
}
catch (ClassNotFoundException e)
{
e.printStackTrace();
}
try
{
connection = DriverManager.getConnection(
"jdbc:oracle:thin:@localhost:1521:" + "XE", "hr","hr");
if (connection != null)
{
statement = connection.createStatement();
String q2 = "INSERT INTO HR.tweets (";
q2 = q2 + "DATE_TIME,USER_NAME,TWEET_BEFORE,TWEET_AFTER)";
q2 = q2 + "VALUES (";
q2 = q2 + "(select SYSDATE from dual),";
q2 = q2 + "'" + tweet.getUser().getScreenName() + "'" + ",";
q2 = q2 + "'" + tweet.getText() + "'" +",";
q2 = q2 + "'" + finalstring + "')";
statement.execute(q2);
statement.close();
connection.close();
}
}
catch (SQLException e)
{
e.printStackTrace();
}
At statement.execute(q2) I'm getting ORA-00917: missing comma error . 在statement.execute(q2)我得到ORA-00917: missing comma error 。
The following query is created in a code : 以下查询是通过代码创建的:
INSERT INTO HR.tweets (DATE_TIME,USER_NAME,TWEET_BEFORE,TWEET_AFTER)VALUES ((select SYSDATE from dual),'Dannazxcv','RT @HugotInhinyero: Wish we could turn back time to the good old days. When our mama sings us to sleep but now we're stressed out.🎶🎶
#engin…','hugotinhinyero turn back time good days. mama sing sleep we're stress out. engin' )
Please help me. 请帮我。
4 个解决方案
解决方案1
1 2016-02-07 12:50:45
Your SQL insert has an syntax error since one of your parameters contains a ' : 您的SQL插入有语法错误,因为其中一个参数包含' :
'hugotinhinyero turn back time good days. mama sing sleep we're stress out. engin'
To avoid this kind of errors, don't build SQL strings manually, but use a PreparedStatement and parameters instead: 为避免此类错误,请不要手动构建SQL字符串,而应使用PreparedStatement和参数:
String insert = "INSERT INTO HR.tweets (DATE_TIME,USER_NAME,TWEET_BEFORE,TWEET_AFTER) " +
" VALUES ((select SYSDATE from dual),?,?,?)";
PreparedStatement stmt = connection.prepareStatement(insert);
stmt.setParameter(1, tweet.getUser().getScreenName());
stmt.setParameter(2, tweet.getText());
stmt.setParameter(3, finalstring);
stmt.executUpdate();
解决方案2
0 2016-02-07 12:51:33
The problem here is that you are using special characters, which causes the statement sent through to the database to be invalid. 这里的问题是您正在使用特殊字符,这会导致发送到数据库的语句无效。
Try using a prepared statement like this... 尝试使用这样的准备好的语句...
PreparedStatement pstatement = null;
Connection connection = null;
try
{
connection = DriverManager.getConnection(
"jdbc:oracle:thin:@localhost:1521:" + "XE", "hr","hr");
if (connection != null)
{
pstatement = connection.prepareStatement("INSERT INTO HR.tweets (DATE_TIME,USER_NAME,TWEET_BEFORE,TWEET_AFTER) VALUES ((select SYSDATE from dual),?,?,?)");
q2 = q2 + "'" + tweet.getUser().getScreenName() + "'" + ",";
q2 = q2 + "'" + tweet.getText() + "'" +",";
q2 = q2 + "'" + finalstring + "')";
pstatement.setString(1, tweet.getUser().getScreenName());
pstatement.setString(2,tweet.getText());
pstatement.setString(3, finalstring);
pstatement.execute();
}
}
catch (SQLException e)
{
e.printStackTrace();
}finally{
pstatement.close();
connection.close();
}
...prepared statements usually take care of malformed strings and invalid quotes sent to the DB. ...准备好的语句通常会处理格式错误的字符串和发送给数据库的无效引号。
解决方案3
0 2016-02-07 12:57:52
Use PreparedStatement instead of Statement . 使用PreparedStatement代替Statement 。
Your query will always fail if any of your field will contain quote character ( ' ). 如果您的任何字段包含引号( ' ),则查询将始终失败。
Besides, your query is vulnerable to SQL injection attack, while PreparedStatement guards against a such attack. 此外,您的查询容易受到SQL注入攻击,而PreparedStatement可以防止此类攻击。
Details on PreparedStatement can be found in this tutorial: 可以在本教程中找到有关PreparedStatement的详细信息:
http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
This is a very very basic knowledge so I dont't explain it here. 这是非常非常基础的知识,因此在此不做解释。
解决方案4
0 2016-02-07 18:13:53
As mentioned by @wero, the issue with the query is that it contains a quote ('). 如@wero所述,查询的问题在于它包含引号(')。 To escape it you can use a backslash (\\). 要转义它,可以使用反斜杠 (\\)。
Eg: we\'re
However like other's have suggested, its safer to use prepared-statements which also take care of guarding against sql-injection as a bonus ! 但是,就像其他人所建议的那样,使用预处理语句更安全,该语句还应注意防止将sql-injection作为奖励!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.