[英]Checking if a user exists, Java, JDBC and MySQL
我正在尝试检查数据库中是否存在用户,然后为该用户执行一些验证过程,如果没有返回入侵者消息。 我为此使用Java和MySQL。 这是我的代码。
public class Check{
public boolean isPresent(){
connect();// private method that connects to db
boolean isAvailable = false;
String query = "SELECT EXISTS(SELECT 1 FROM students WHERE matric =" + this.myId + ")"; // this.myId has been passed into the constructor
try{
Statement statement;
ResultSet resultSet;
statement = connection.createStatement();
resultSet = statement.executeQuery(query);
if(resultSet.absolute(1)){
isAvailable = true;
}else{
isAvailable = false;
}catch(SQLException e){
e.printStackTrace();
}finally{
closeConnection();// private method that closes connection
return isAvailable;
}
}
我之前已经检查过类似的解决方案,但似乎无法解决该错误。 我读到的错误是:“ where子句中的未知列CCE”,还有来自JDBC API的其他错误。 在我看来,好像是因为我从构建者那里传入的价值而被截断了。
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'CCE' in 'where clause'
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:400)
at com.mysql.jdbc.Util.getInstance(Util.java:383)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:980)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3847)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3783)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2447)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2594)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2541)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2499)
at com.mysql.jdbc.StatementImpl.executeQuery(StatementImpl.java:1432)
从轻松修复到正确性
1-引用您的ID将解决您遇到的SQL错误(在ID周围添加'
String query = "SELECT EXISTS(SELECT 1 FROM students WHERE matric = '" + this.myId + "')"; // this.myId has been passed into the constructor
但是,仍然使用子选择存在吗? 为什么不简单地直接让学生呢?
2-删除子选择
String query = "SELECT * FROM students WHERE matric = '" + this.myId + "'";
try{
Statement statement;
ResultSet resultSet;
statement = connection.createStatement();
resultSet = statement.executeQuery(query);
if(resultSet.next()){
isAvailable = true;
}else{
isAvailable = false;
} //Missing in your code
可以将myId视为... myId = "killer'); DROP TABLE STUDENTS; --"
--–您不想这样执行。
String query = "SELECT * FROM students WHERE matric = ?";
try{
PreparedStatement statement;
ResultSet resultSet;
statement = connection.prepareStatement(query);
statement.setString(1, myId);
resultSet = statement.executeQuery();
通过使用try-with-resource,您可以摆脱大多数问题:
String query = "SELECT * FROM students WHERE matric = ?";
try (PreparedStatement statement = connection.prepareStatement(query)) {
statement.setString(1, myId);
try(ResultSet resultSet = statement.executeQuery()) {
return rs.next();
}
} catch(SQLException se) {
se.printStackTrace();
return false;
}
SQL查询不是Java语句/表达式。
代替变量
this.myId
使用占位符,即
?
示例: "SELECT EXISTS(SELECT 1 FROM students WHERE matric =?"
并将其包含在双引号中。
请记住使用PreparedStatement代替Statement
PreparedStatement pst=connection.createStatement();
一旦您使用statement = connection.createStatement();
创建查询statement = connection.createStatement();
只需将myId变量设置为查询,例如:
pst.setString(1,this.myID);
这应该对你有帮助
尝试将此id作为参数传递,并使用准备好的语句使您的代码更有效
public boolean isUserExsit(String id) {
boolean isDuplicated = false;
Connection connection = lockConnection();
String sql = "SELECT 1 FROM students WHERE matric = ? ";
try {
PreparedStatement statement = connection.prepareStatement(sql);
if (statement != null) {
statement.setString(1, id);
try {
ResultSet results = statement.executeQuery();
if (results != null) {
try {
if (results.next()) {
isDuplicated = true;
}
} catch (Exception resultSetException) {
resultSetException.printStackTrace();
}
results.close();
}
} catch (Exception statmentExcption) {
statmentExcption.printStackTrace();
}
statement.close();
}
} catch (Exception generalException) {
generalException.printStackTrace();
}
releaseConnection(connection);
return isDuplicated;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.