[英]SQL query sees the value as a column name
我试图建立与数据库的连接,然后运行INSERT INTO查询,但是在代码运行时,出现错误: com.microsoft.sqlserver.jdbc.SQLServerException: Invalid column name 'BLUE'.
正如您在下面的代码中看到的那样,我将“ BLUE”作为值而不是列名。 有人知道我在做什么错吗? ps color是一个Enum,其他所有值都是double。
String query = "INSERT INTO [oval] " +
"(anchorX, anchorY, width, height, weight, color) VALUES " +
"(" + drawingItem.getAnchor().getX() +
", " + drawingItem.getAnchor().getY() +
", " + drawingItem.getWidth() +
", " + drawingItem.getHeight() +
", " + ((Oval) drawingItem).getWeight() +
", " + drawingItem.getColor().toString() + ")";
initConnection();
Statement myStmt = con.createStatement();
rowsAffected = myStmt.executeUpdate(query);
closeConnection();
编辑答案:
String query = "INSERT INTO [oval] VALUES (?,?,?,?,?,?)";
initConnection();
PreparedStatement myPrepStmt = con.prepareStatement(query);
myPrepStmt.setDouble(1, drawingItem.getAnchor().getX());
myPrepStmt.setDouble(2, drawingItem.getAnchor().getY());
myPrepStmt.setDouble(3, drawingItem.getWidth());
myPrepStmt.setDouble(4, drawingItem.getHeight());
myPrepStmt.setDouble(5, ((Oval)drawingItem).getWeight());
myPrepStmt.setString(6, drawingItem.getColor().toString());
rowsAffected = myPrepStmt.executeUpdate();
closeConnection();
如建议的那样,使用参数化查询来防止SQL注入。 对于当前的问题,必须对每个字符串值使用单引号。
例如:
"('" + drawingItem.getAnchor().getX() +
"', '" +
正确的方法是:
String query = "INSERT INTO [oval] " +
"(anchorX, anchorY, width, height, weight, color) VALUES " +
"(?, ?, ?, ?, ?, ?)";
initConnection();
int i = 1;
Statement myStmt = con.prepareStatement(query);
myStmt.setInt(i++, drawingItem.getAnchor().getX());
myStmt.setInt(i++, drawingItem.getAnchor().getY());
myStmt.setString(i++, drawingItem.getWidth());
myStmt.setString(i++, drawingItem.getHeight());
myStmt.setFloat(i++, ((Oval) drawingItem).getWeight());
myStmt.setString(i++, drawingItem.getColor().toString());
rowsAffected = myStmt.executeUpdate();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.