[英]java.sql.SQLSyntaxErrorException-ORA-01722: invalid number - Prepared statement
I am fixing some SQL Injection issues in the code by removing the replaceAll() in code.我正在通过删除代码中的 replaceAll() 来修复代码中的一些 SQL 注入问题。 I am replacing the named parameters in the query with the placeholders and using in it the prepared statement.
我正在用占位符替换查询中的命名参数,并在其中使用准备好的语句。 I am getting below issue, please advice.
我遇到以下问题,请指教。
Query:询问:
<entry key= "GET DATA">
select ATYPE, ANAME, AGRID, AVALUE
from ALG_RSV.TERMS
--where AGRID in (':AGRS') // changed this line
where AGRID in (?) // to this
order by 2,1
Code:代码:
{...
List<String> agreeIDs = getAgree
String agrID = String.join(",",agreeIDs);
// String sqlQuery = CSRConsole.getProperty(GET DATA).replaceAll(":AGRS", agrID);//
commented out replaceALL
String sqlQuery = CSRConsole.getProperty(GET DATA); //Changed like this
prepStat= Conn.prepareStatement(sqlQuery);
prepStat.setString(1, agrID);// changed like this, getting issue in this line
rs = prepStat.executeQuery();
.....}
Error:错误:
java.sql.SQLSyntaxErrorException-ORA-01722: invalid number
java.sql.SQLSyntaxErrorException-ORA-01722:无效数字
Can someone help me with this?有人可以帮我弄这个吗? what is the issue here?
这里有什么问题? how to convert named parameters to placeholders?
如何将命名参数转换为占位符?
I'm not sure of the entirety of your question, but the Java PreparedStatement
statement API does not used named placeholders, it only uses positional placeholders which are indicated by ?
我不确定您的问题的全部内容,但 Java
PreparedStatement
语句 API 不使用命名占位符,它只使用由?
. . From the official documentation , here is a sample code:
从官方文档,这里是一个示例代码:
String updateString = "update COFFEES " + "set SALES = ? where COF_NAME = ?";
PreparedStatement updateSales = con.prepareStatement(updateString);
updateSales.setInt(1, e.getValue().intValue());
updateSales.setString(2, e.getKey());
updateSales.executeUpdate();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.