将参数传递给 JDBC PreparedStatement
[英]Passing parameters to a JDBC PreparedStatement
问题描述
I'm trying to make my validation class for my program.
我正在尝试为我的程序创建验证类。 I already establish the connection to the MySQL database and I already inserted rows into the table.我已经建立了与 MySQL 数据库的连接,并且已经将行插入到表中。 The table consists of firstName , lastName and userID fields.该表由firstName 、 lastName和userID字段组成。 Now I want to select a specific row on the database through my parameter of my constructor.现在我想通过我的构造函数的参数选择数据库上的特定行。
import java.sql.*;
import java.sql.PreparedStatement;
import java.sql.Connection;
public class Validation {
private PreparedStatement statement;
private Connection con;
private String x, y;
public Validation(String userID) {
try {
Class.forName("com.mysql.jdbc.Driver");
con = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/test", "root", "");
statement = con.prepareStatement(
"SELECT * from employee WHERE userID = " + "''" + userID);
ResultSet rs = statement.executeQuery();
while (rs.next()) {
x = rs.getString(1);
System.out.print(x);
System.out.print(" ");
y = rs.getString(2);
System.out.println(y);
}
} catch (Exception ex) {
System.out.println(ex);
}
}
}
But it doesn't seem work.但它似乎不起作用。
6 个解决方案
解决方案1
53 已采纳 2012-10-05 11:24:22
You should use the setString() method to set the userID .您应该使用setString()方法来设置userID 。 This both ensures that the statement is formatted properly, and prevents SQL injection :这既可以确保语句的格式正确,又可以防止SQL injection :
statement =con.prepareStatement("SELECT * from employee WHERE userID = ?");
statement.setString(1, userID);
There is a nice tutorial on how to use PreparedStatement s properly in the Java Tutorials .在Java 教程中有一个关于如何正确使用PreparedStatement的很好的教程。
解决方案2
6 2012-10-05 11:25:22
There is a problem in your query..您的查询有问题..
statement =con.prepareStatement("SELECT * from employee WHERE userID = "+"''"+userID);
ResultSet rs = statement.executeQuery();
You are using Prepare Statement.. So you need to set your parameter using statement.setInt() or statement.setString() depending upon what is the type of your userId您正在使用 Prepare Statement .. 所以您需要使用statement.setInt()或statement.setString()设置您的参数,具体取决于您的userId的类型
Replace it with: -替换为:-
statement =con.prepareStatement("SELECT * from employee WHERE userID = :userId");
statement.setString(userId, userID);
ResultSet rs = statement.executeQuery();
Or, you can use ?或者,您可以使用? in place of named value - :userId ..代替命名值 - :userId ..
statement =con.prepareStatement("SELECT * from employee WHERE userID = ?");
statement.setString(1, userID);
解决方案3
5 2012-10-05 11:27:17
If you are using prepared statement, you should use it like this:如果您使用的是准备好的语句,您应该像这样使用它:
"SELECT * from employee WHERE userID = ?"
Then use:然后使用:
statement.setString(1, userID);
? will be replaced in your query with the user ID passed into setString method.将在您的查询中替换为传递给setString方法的用户 ID。
Take a look here how to use PreparedStatement .看看这里如何使用PreparedStatement 。
解决方案4
2 2012-10-05 11:25:08
Do something like this, which also prevents SQL injection attacks做这样的事情,这也可以防止SQL 注入攻击
statement = con.prepareStatement("SELECT * from employee WHERE userID = ?");
statement.setString(1, userID);
ResultSet rs = statement.executeQuery();
解决方案5
1 2012-10-05 11:26:42
You can use '?'您可以使用 '?' to set custom parameters in string using PreparedStatments.使用 PreparedStatments 在字符串中设置自定义参数。
statement =con.prepareStatement("SELECT * from employee WHERE userID = ?");
statement.setString(1, userID);
ResultSet rs = statement.executeQuery();
If you directly pass userID in query as you are doing then it may get attacked by SQL INJECTION Attack.如果您直接在查询中传递用户 ID,那么它可能会受到SQL INJECTION Attack 的攻击。
解决方案6
-2 2017-08-24 18:31:01
The problem was that you needed to add " ' ;"问题是您需要添加“ ';” at the end.在末尾。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.