SQL語句末尾缺少分號（;）

Question

我試圖通過將表中的值與我從ID號捕獲的有關用戶的變量進行比較，將值插入數據庫中另一個表的表中。

我收到以下錯誤：

java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] Missing semicolon (;) at end of SQL statement.

這是我嘗試上面的代碼：

    Statement stmt1 = con.createStatement();

    String mySqlStatement1 = "INSERT INTO Entrant_Group VALUES (Group_Description) WHERE Group_MinAge <= " + details.getAge() + "AND Group_MaxAge >= " + details.getAge() + "AND Group_Gender = 'details.getGender()'";
    stmt1.executeUpdate(mySqlStatement1);

Answer 1

將有關SQL注入攻擊的標准警告擱置一會兒，您的語句的問題是您的引號錯誤，並且AND之前沒有空格：

String mySqlStatement1 = "INSERT INTO Entrant_Group VALUES (Group_Description) WHERE Group_MinAge <= "
 +   details.getAge()
 +   " AND Group_MaxAge >= " // Add space
 +   details.getAge()
 +   " AND Group_Gender = '" // Add space
 +   details.getGender()     // This part was enclosed in double-quotes
 +   "';";                   // Add semicolon at the end

為了防止注入攻擊，您應該對查詢進行參數化，並將值綁定到准備好的語句的參數：

String mySqlStatement1 = "INSERT INTO Entrant_Group VALUES (Group_Description) WHERE Group_MinAge <= ? AND Group_MaxAge >= ? AND Group_Gender = ?;";