org.h2.jdbc.JdbcSQLSyntaxErrorException h2 数据库 java
[英]org.h2.jdbc.JdbcSQLSyntaxErrorException h2 database java
问题描述
Exception in thread "main" org.h2.jdbc.JdbcSQLSyntaxErrorException: Syntax error in SQL statement "INSERT INTO SMTP_DATA(SMTP_SERVER, SMTP_USERNAME, SMTP_PASSWORD, SMTP_FROM, SMTP_TO) VALUES (DEMO.STMP.COM, DEMOUSERNAME, DEMOPASSWORD, FROMDEMO@[*]MAIL.COM, TODEMO@MAIL.COM);";
线程“main” org.h2.jdbc.JdbcSQLSyntaxErrorException 中的异常:SQL 语句中的语法错误“INSERT INTO SMTP_DATA(SMTP_SERVER, SMTP_USERNAME, SMTP_PASSWORD, SMTP_FROM, SMTP_TO) VALUES (DEMO.STMP.COM, DEMOUSERNAME, DEMOOPASS[FROM]* ]MAIL.COM, TODEMO@MAIL.COM);"; expected "(, ., [, ::, AT, FORMAT, *, /, %, +, -, ||, ~, !~, NOT, LIKE, ILIKE, REGEXP, IS, IN, BETWEEN, AND, OR, ,, )";
I am kind new to h2 and sql statments I try to insert values to table我对 h2 和 sql 语句很陌生我尝试将值插入表
INSERT INTO smtp_data(smtp_server, smtp_username, smtp_password, smtp_from, smtp_to) VALUES (demo.stmp.com, demousername, demopassword, fromdemo@mail.com, todemo@mail.com);
I think the commas make me a problem in the values how to format corect to don't have this exception.我认为逗号让我在如何格式化正确的值中没有这个例外的问题。
This is the table:这是表:
create table if not exists smtp_data(id int primary key auto_increment, smtp_server varchar(30) not null, smtp_username varchar(30) not null, smtp_password varchar(40) not null, smtp_from varchar(20) not null, smtp_to varchar(20) not null
2 个解决方案
解决方案1
1 已采纳 2021-11-05 15:59:03
String literals need to be in ' symbols.字符串文字需要在'符号中。 So, whenever you write a table or column name, just write it.所以,无论何时你写一个表名或列名,只要写下来。 But when you write actual data, use ' : INSERT INTO smtp_data(smtp_server) VALUES ('put this stuff in quotes');但是当你写实际数据时,使用' : INSERT INTO smtp_data(smtp_server) VALUES ('put this stuff in quotes');
HOWEVER然而
This should NEVER come up.这应该永远不会出现。 The problem is, usually input is not exactly 'safe'.问题是,通常输入并不完全“安全”。 Some user entered it someplace (and who knows what malicious intent they might have), or somebody who doesn't know the exact process flow of this app did it.一些用户在某个地方输入了它(谁知道他们可能有什么恶意意图),或者不知道这个应用程序的确切流程的人做了它。 Even if currently you don't think that can happen, software has the nasty tendency to be used for things that you didn't imagine it would be used for when you write it.即使目前您认为这不可能发生,软件也有一种令人讨厌的倾向,它会被用于您在编写它时无法想象它会用于的事情。 Hence, this is a huge security disaster waiting to happen.因此,这是一场等待发生的巨大安全灾难。 After all, what if somebody tries, for funsies, this SMTP server:毕竟,如果有人尝试,为了好玩,这个 SMTP 服务器:
haha hacked your box'); DROP TABLE smtp_data CASCADE; SHELL_EXEC 'FORMAT C: /y /force'; --
The day someone does that is going to be a very, very bad day for you.有人这样做的那一天对你来说将是非常非常糟糕的一天。
The solution is something called PreparedStatement , where instead of text values like 'smtp.server.com' , you just put an unquoted question mark: INSERT INTO smtp_data(field1, field2) VALUES (?, ?);解决方案是称为PreparedStatement东西,而不是像'smtp.server.com'这样的文本值,您只需放置一个不带引号的问号: INSERT INTO smtp_data(field1, field2) VALUES (?, ?); - that's the SQL you pass to PreparedStatement. - 这是您传递给 PreparedStatement 的 SQL。 Then separately you 'set' the value for each question mark:然后分别“设置”每个问号的值:
ps.setString(1, "smtp.server.com");
This roundabout way means that if some clown tries smtp.server.com'; hack the things这种迂回的方式意味着如果某个小丑尝试smtp.server.com'; hack the things smtp.server.com'; hack the things it simply won't work. smtp.server.com'; hack the things它根本行不通smtp.server.com'; hack the things 。 Everything is safely escaped by the DB engine itself, which is the only one that can reliably do this.一切都由数据库引擎本身安全地转义,这是唯一可以可靠地做到这一点的引擎。
You need to be doing it this way, or you're going to write a security leak.你需要这样做,否则你会写一个安全漏洞。 Not a matter of if, but when.不是如果,而是何时。
解决方案2
0 2021-11-05 16:00:35
我认为您缺少将您的值括在单引号中,请在此处查看, https://www.codegrepper.com/code-examples/sql/h2+insert+data+on+startup
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.