堆栈内存溢出
  简体   繁体   English

使用oracle数据库时如何在准备好的语句中使用变量名作为列名和表名

[英]How to use variable names as column names and table names inside prepared statement while using oracle database

 原文  2016-09-25 11:07:10       java/ jdbc/ oracle10g

问题描述

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
import javax.servlet.ServletException;

public class showdata extends HttpServlet {
    public void doGet(HttpServletRequest request, HttpServletResponse responce)                                        
        int s=0;
        PrintWriter out = responce.getWriter();
        responce.setContentType("text/html");
        out.println("<html><body>");

I am reading 3 variables t , a , b which I have to use in my oracle query.我正在读取 3 个变量tab ,我必须在我的 oracle 查询中使用它们。

String t = request.getParameter("type");       
String a = request.getParameter("about");          
String b = request.getParameter("bird");    
try {
    Class.forName("oracle.jdbc.driver.OracleDriver");  
    Connection con = DriverManager.getConnection(  
        "jdbc:oracle:thin:@localhost:1521:XE","hr","praveen");  
    Statement stmt = con.createStatement();
    out.println("<html>");
    out.println("<body  bgcolor='#56A5EC'>");        
    String query = "select  ****** from  ******* ;

I had to select columns a and b from table t .我必须从表t选择列ab How to write that variable names a , b , t in above query?如何在上面的查询中写出变量名a , b , t

    ResultSet rs = stmt.executeQuery(query);
    catch (Exception e) {
        System.out.println(e.getMessage());
    }
        out.println("</body>"); 
        out.println("</html>");
    }
}

1 个解决方案

解决方案1
 0  2016-09-27 19:44:40

First read the post that Gord Thompson referred to.首先阅读戈德汤普森提到的帖子。

The short answer is:简短的回答是:

String query = "select " + a +","+ b + " from  " + t ;

However, this leaves you open to sql injection attacks .但是,这让您容易受到sql 注入攻击 You need to make sure that the three variables are legal column and table names.您需要确保这三个变量是合法的列名和表名。 Only letters, numbers, underscore or dollar sign allowed.只允许使用字母、数字、下划线或美元符号。

It would be better if the front end did not pass in the names directly.前端不直接传名字就更好了。 Instead, pass in a number and the java code would have to "look up" the names.相反,传入一个数字,Java 代码将不得不“查找”名称。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用预准备语句的变量列名 - Variable column names using prepared statements 如何在java中获取数据库表列名 - How to fetch database table column names in java JTable不显示在SQL预准备语句的AS部分中设置的列名 - JTable not showing the column names set in the AS part of the SQL prepared statement 如何在sql语句(Java)中大写列名和表名? - How do I uppercase column and table names in a sql statement(Java)? 无法使用服务名称连接到Oracle数据库 - Unable to connect to Oracle database using Service names 如何使hibernate逆向工程保持与数据库表列名完全相同的对象字段名? - How to make hibernate reverse engineering keep exactly same object field names as database table column names? 如何使用Java中的集合从数据库中获取表的列名(动态地而不用硬编码列头) - how to get the column names(dynamically without hardcoding the columnheaders) of a table from database using collections in java 如何使用javaparser获取在类的方法中使用的变量名 - How to get variable names used inside a method of a class using javaparser 如何使用JSQLPARSE从SQl检索表和列名称 - How to retrieve table and column names from SQl using JSQLPARSE 使用entitymanager更改derby数据库中的表名称 - Change Table names in derby database using entitymanager
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM