JDBC MySQL查询错误？

Question

I'm trying to insert some data into mysql database, but I get an error and I can't find the error with the code. 我正在尝试向mysql数据库中插入一些数据，但是出现错误，并且找不到代码错误。 I am not good at mysql. 我不擅长mysql。

String insertQuery = "insert into books(title, author, description, prize)values("
            + title
            + ","
            + author
            + ","
            + desc
            + ", "
            + prize
            +  ");";

mysql> describe books;
+-------------+--------------+------+-----+---------+-------+
| Field       | Type         | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------+-------+
| book_id     | int(11)      | NO   | PRI | NULL    |       |
| title       | varchar(64)  | YES  |     | NULL    |       |
| author      | varchar(64)  | YES  |     | NULL    |       |
| description | varchar(500) | YES  |     | NULL    |       |
| prize       | float        | YES  |     | NULL    |       |
| added       | datetime     | YES  |     | NULL    |       |
+-------------+--------------+------+-----+---------+-------+
6 rows in set (0.01 sec)

The error I get is, 我得到的错误是，

Query: insert into books(title, author, description, prize)values(sfdfdf,fdfdf,Please    limiasasaat your response to 500 characters., 78.9);
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limiasasaat your response to 500 characters., 78.9)' at line 1

Answer 1

You string values are not enclosed with single quotes. 字符串值没有用单引号引起来。 Try this: 尝试这个：

String insertQuery = "insert into books(title, author, description, prize)values('"
            + title
            + "','"
            + author
            + "','"
            + desc
            + "', "
            + prize
            +  ");";

Example of Prepared Statement at RoseIndia RoseIndia的准备好的语句示例

UPDATE 1 更新1

sample of PreparedStatement: PreparedStatement的样本：

//other codes here
String iSQL = "Insert into books(title, author, description, prize) values (?,?,?,?)";
// con is your active connection object
PreparedStatement pstmt = con.prepareStatement(iSQL);
pstmt.setString(1, title);
pstmt.setString(2, author);
pstmt.setString(3, desc);
pstmt.setFloat(4, prize);
pstmt.executeUpdate();
//other codes here

but don't forget to this statement at the top of your class: import java.sql.*; 但是不要忘了在您的课程顶部发表以下声明： import java.sql.*;

Answer 2

your problem is that you don't have quotes around your varchar parameters I think. 我的问题是您在varchar参数周围没有引号。

you could fix this by simply including quotes around those paramaters that need them: 您可以通过在需要它们的参数周围加上引号来解决此问题：

String insertQuery = "insert into books(title, author, description, prize)values('"
            + title
            + "','"
            + author
            + "','"
            + desc
            + "', "
            + prize
            +  ");";

however this is still not a good solution as you still won't be able to handle any input which contains a single quote (if the desc parameter contained the string Don't try this the query would then fail, as the ' in the don't would terminate the desc parameter and the parser would then expect a , but would encounter t try this ) and are open to an SQL injection attack . 然而，这仍然不是一个很好的解决方案，你仍然无法处理其中包含一个单引号任何输入（如果desc参数包含字符串Don't try this则查询会失败，因为'在don't将终止desc参数，然后解析器会期待,但会遇到t try this ），并公开向SQL注入攻击。

What you should be doing is using prepared statements. 您应该做的是使用准备好的语句。 This makes it safe and you don't need to then worry about escaping issue as this is all handled for you. 这样可以确保安全，并且您无需担心转义问题，因为这一切都已为您处理。 You can hack it to work as indicated above. 您可以按照上述说明对其进行破解。 But for your own sanity, and for everyone that has to deal with your code after you, please spend a little time to learn prepared statements and use them. 但是出于您自己的理智，以及对于每个需要处理您的代码的人，请花点时间学习准备好的语句并使用它们。 Future you will thank current you. 将来你会感谢你的。

There is a prepared statement tutorial on the oracle java website . oracle java网站上有一个准备好的语句教程。

Using index based prepared statements always seems a little fragile to me. 对我来说，使用基于索引的预备语句总是有些脆弱。 There is an example of how you can bind parameters by name which can make your PreparedStatements a little easier to read, so they might end up like this: 有一个示例，说明如何通过名称绑定参数，这可以使您的PreparedStatement更加易于阅读，因此它们最终可能像这样：

String iSQL = "Insert into books(title, author, description, prize) values (:title,:author,:description,:prize)";

NamedParameterStatement pstmt =new NamedParameterStatement(connection,iSQL);
pstmt.setString("title", title);
pstmt.setString("author", author);
pstmt.setString("description", desc);
pstmt.setFloat("prize", prize);
pstmt.executeUpdate();

Answer 3

I'd suggest use Prepared Statement but if you still want to go with the way you have then you will have to somehow tell MYSQL that this is a character(s) entry and this is a integer entry. 我建议使用Prepared Statement，但是如果您仍然想按照自己的方式进行操作，那么您将不得不以某种方式告诉MYSQL这是一个字符条目，这是一个整数条目。

To define the difference between character entries and integer entries you will have to add single quote around the Character entries. 要定义字符条目和整数条目之间的差异，您必须在字符条目周围添加单引号。

Answer 4

Use preparedStatement. 使用prepareStatement。 Using statement in places where values will change will definitely lead you to such conclusions. 在价值会发生变化的地方使用陈述肯定会导致您得出这样的结论。 A very good example is given by johntotetwoo. johntotetwoo给出了一个很好的例子。 Have a look at it. 看看它。

JDBC MySQL查询错误？

问题描述

4 个解决方案

解决方案1
4 已采纳 2012-05-20 10:06:55

解决方案2
3 2012-05-20 10:03:34

解决方案3
1 2012-05-20 10:11:28

解决方案4
1 2012-05-20 12:01:13

JDBC MySQL查询错误？

问题描述

4 个解决方案

解决方案1 4 已采纳 2012-05-20 10:06:55

解决方案2 3 2012-05-20 10:03:34

解决方案3 1 2012-05-20 10:11:28

解决方案4 1 2012-05-20 12:01:13

解决方案1
4 已采纳 2012-05-20 10:06:55

解决方案2
3 2012-05-20 10:03:34

解决方案3
1 2012-05-20 10:11:28

解决方案4
1 2012-05-20 12:01:13