堆栈内存溢出
  简体   繁体   English

在SQL中使用Java插入Java变量

[英]Insert Java variable using Java in SQL

 原文  2010-02-13 04:45:11       java/ oracle/ jdbc

问题描述

I was trying to do: 我试图这样做: 

 String sql = "INSERT INTO CURRENT_WEATHER_US VALUES("+city_code+",   
"+object.city+","+object.region+","+object.country+","+object.wind_chill+",  
"+object.wind_direction+", "+object.wind_speed+","+object.humidity+","+object.visibility+", 
"+object.pressure+","+object.rising+",  
"+object.sunrise+","+object.sunset+","+object.textual_description+",  
"+object.condition_code+","+object.temp+","+object.for_temp_high+",  
"+object.for_temp_low+","+object.for_description+","+object.forecast_code+")";   

  stmt.execute(sql);

Error is missing comma 错误缺少逗号

Please Help 请帮忙

3 个解决方案

解决方案1
 27 已采纳  2010-02-13 05:00:46

This is not really the way you're supposed to construct and execute a SQL INSERT query with variables. 这不是你应该用变量构造和执行SQL INSERT查询的方式。 This is not only prone to SQL injection attacks , but it is also pretty .. cumbersome ;) Possibly a value contained a singlequote and caused your query to be syntactically invalid. 这不仅容易发生SQL注入攻击 ,而且它也非常麻烦;)可能一个值包含单引号并导致您的查询在语法上无效。

Just do not string-concatenate variables into a SQL string. 只是不要将变量字符串连接成SQL字符串。 Instead, use PreparedStatement ( tutorial here ) in combination with ? 相反,使用PreparedStatement这里的教程 )与? as placeholder for the variable in the SQL string. 作为SQL字符串中变量的占位符。 This way you can nicely put fullworthy Java objects (including Date and InputStream !) in a SQL statement by value index without worrying about characters in strings which may syntactically break the SQL query (and thus also induce SQL injection risks). 通过这种方式,您可以通过值索引很好地将完整的Java对象(包括DateInputStream !)放在SQL语句中,而不必担心字符串中可能在语法上破坏SQL查询的字符(从而也会导致SQL注入风险)。

Here's a kickoff example based on your original SQL query: 这是基于原始SQL查询的启动示例: 

private static final String SQL_INSERT = "INSERT INTO CURRENT_WEATHER_US"
    + " VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";

public void create(String cityCode, Weather weather) throws SQLException {
    try (
        Connection connection = database.getConnection();
        PreparedStatement statement = connection.prepareStatement(SQL_INSERT);
    ) {
        statement.setString(1, cityCode);
        statement.setString(2, weather.getCity());
        statement.setString(3, weather.getRegion());
        // ...
        statement.setString(20, weather.getForecastCode());
        statement.executeUpdate();
    }
}

To learn more about using basic JDBC the proper way, you may find this article useful. 要以正确的方式了解有关使用基本JDBC的更多信息,您可能会发现本文很有用。

Hope this helps. 希望这可以帮助。

解决方案2
 3  2010-02-13 05:01:35

You should look into using PrepairedStatements instead of building Strings. 您应该考虑使用PrepairedStatements而不是构建字符串。 They are quicker and take care of many pitfalls related to quoting and escaping values. 他们更快,并处理与引用和逃避价值相关的许多陷阱。

解决方案3
 0  2010-02-13 19:17:08

Like all the others say, you really should convert it to use PreparedStatements for a number of reasons. 像所有其他人一样,出于多种原因,你真的应该将其转换为使用PreparedStatements。 You are most likely getting the error (you didn't post the exact ORA error) because you passing in String type values, but you didn't wrap them in single quotes in your hard coded query. 您最有可能收到错误(您没有发布确切的ORA错误),因为您传入了String类型值,但是您没有在硬编码查询中将它们包装在单引号中。

If textual_description and for_description where the only String type columns in your query, then your query would need to look like this: 如果textual_description和for_description在查询中只有String类型列,那么您的查询需要如下所示: 

String sql = "INSERT INTO CURRENT_WEATHER_US VALUES( " +
    city_code + ", " +
    object.city + ", " +
    object.region + ", " +
    object.country + ", " +
    object.wind_chill  + ", " +
    object.wind_direction + ", " +
    object.wind_speed + ", " +
    object.humidity + ", " +
    object.visibility + ", " +
    object.pressure + ", " +
    object.rising + ", " +
    object.sunrise + ", " +
    object.sunset + ", " +
    "'" + object.textual_description + "', " +
    object.condition_code + ", " +
    object.temp + ", " +
    object.for_temp_high + ", " +
    object.for_temp_low + ", " +
    "'" + object.for_description + "', " +
    object.forecast_code + 
    " )";   

stmt.execute(sql);

Notice the single quotes surrounding those values now. 请注意现在围绕这些值的单引号。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用JAVA慢速插入SQL - Slow INSERT into SQL using JAVA 使用Java和sql INSERT查询在MS Access中插入字符串类型变量和日期类型变量 - Insert String type variables and a date type variable in MS access using java and sql INSERT Query 在sql语句中使用java变量 - using java variable in sql statement 在 Java 中使用 GregorianCalendar 在 Oracle SQL 中插入时间 - Insert time in Oracle SQL using GregorianCalendar in java 如何使用java将值插入sql服务器? - how insert value into sql sever using java? 使用 java 问题向 sql 插入数据 - Insert data to sql using java issue 同时使用INSERT INTO和UPDATE-JAVA SQL - Using INSERT INTO & UPDATE at the same time - JAVA SQL 使用Java在mongodb中将SQL日期作为ISODate插入 - Insert SQL Date as ISODate in mongodb using Java 使用Java在SQL表中插入不起作用 - INSERT IN SQL TABLE using java does not work Java SQL列插入 - java sql column insert
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM