[英]How to use variable names as column names and table names inside prepared statement while using oracle database
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.*;
import javax.servlet.ServletException;
public class showdata extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse responce)
int s=0;
PrintWriter out = responce.getWriter();
responce.setContentType("text/html");
out.println("<html><body>");
I am reading 3 variables t
, a
, b
which I have to use in my oracle query.我正在读取 3 个变量t
、 a
、 b
,我必须在我的 oracle 查询中使用它们。
String t = request.getParameter("type");
String a = request.getParameter("about");
String b = request.getParameter("bird");
try {
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection con = DriverManager.getConnection(
"jdbc:oracle:thin:@localhost:1521:XE","hr","praveen");
Statement stmt = con.createStatement();
out.println("<html>");
out.println("<body bgcolor='#56A5EC'>");
String query = "select ****** from ******* ;
I had to select columns a
and b
from table t
.我必须从表t
选择列a
和b
。 How to write that variable names a
, b
, t
in above query?如何在上面的查询中写出变量名a
, b
, t
?
ResultSet rs = stmt.executeQuery(query);
catch (Exception e) {
System.out.println(e.getMessage());
}
out.println("</body>");
out.println("</html>");
}
}
First read the post that Gord Thompson referred to.首先阅读戈德汤普森提到的帖子。
The short answer is:简短的回答是:
String query = "select " + a +","+ b + " from " + t ;
However, this leaves you open to sql injection attacks .但是,这让您容易受到sql 注入攻击。 You need to make sure that the three variables are legal column and table names.您需要确保这三个变量是合法的列名和表名。 Only letters, numbers, underscore or dollar sign allowed.只允许使用字母、数字、下划线或美元符号。
It would be better if the front end did not pass in the names directly.前端不直接传名字就更好了。 Instead, pass in a number and the java code would have to "look up" the names.相反,传入一个数字,Java 代码将不得不“查找”名称。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.