[英]SQL syntax error when connecting with java and using “ ' ”
我已經用Java小程序連接了一個Access數據庫。 在其中,我在為學生及其所在的學校提供價值,其中包括兩所學校(據稱):
小花學校
聖約瑟夫學校
我有一個方法庫和getchestname(這是一次校際比賽。將胸部名稱作為唯一的ID)。 這兩個函數都按以下方式運行sql命令:
//getchestname :
ResultSet rs = db.exec("SELECT * FROM Pariticipants WHERE `school` = '"+schools[sc][1]+"' AND event = '"+events[ev][1]+"' AND category = '"+cat[ca][1]+"' AND gender = '"+g2+"'");
//Store:
rs = db.exec("INSERT INTO Pariticipants ( school , name, event, category , gender ,chestname ) VALUES ('"+schools[sc][1]+"','"+name+"','"+events[ev][1]+"','"+cat[ca][1]+"','"+g+"','"+cname+"')");
當學校設置為“小花學校”時,它可以正常運行,但是當我與后面的學校一起工作時,會出現此錯誤:
java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '`school` = 'St. Joseph\'s school' AND event = '50 m Race' AND category = 'Primary' AND gender = 'Boy''.
我認為這是因為撇號(')。
編輯: DBConn.java(數據庫連接。
import java.sql.*;
/**
* Write a description of class DBConnector here.
*
* @author Darshan Baid
* @version (a version number or a date)
*/
public class DBConn
{
String accessFileName = "C:\\Users\\Darshan\\Documents\\Database1.accdb";
Connection con;
public ResultSet exec(String query)
{
try{
Statement stmt = con.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY);
stmt.execute(query); // execute query in table student
ResultSet rs = stmt.getResultSet(); // get any Result that came from our query
return rs;
}
catch(Exception e)
{
e.printStackTrace();
return null;
}
}
public void connect() {
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
String connURL="jdbc:odbc:DRIVER={Microsoft Access Driver (*.mdb, *.accdb)};DBQ="+this.accessFileName+";";
this.con = DriverManager.getConnection(connURL, "","");
}
catch(Exception e)
{
e.printStackTrace();
}
}
public boolean close()
{
try{
con.close();
return true;
}
catch(Exception e)
{
e.printStackTrace();
return false;
}
}
}
現在:
import java.sql.*;
public class DBConn
{
String accessFileName = "C:\\Users\\Darshan\\Documents\\Database1.accdb";
Connection con;
public ResultSet exec(String query)
{
try{
Statement stmt = con.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE,ResultSet.CONCUR_READ_ONLY);
stmt.execute(query); // execute query in table student
ResultSet rs = stmt.getResultSet(); // get any Result that came from our query
return rs;
}
catch(Exception e)
{
e.printStackTrace();
return null;
}
}
public ResultSet exec(String query,String[] ar)
{
try{
PreparedStatement userRecord_stmt = con.prepareStatement(query);
for(int i = 0; i< ar.length;i++)
userRecord_stmt.setString(1,ar[i]);
ResultSet userRecord_rs = userRecord_stmt.executeQuery();
return userRecord_rs;
}catch(Exception e)
{
e.printStackTrace();
return null;
}
}
public void connect() {
try {
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
String connURL="jdbc:odbc:DRIVER={Microsoft Access Driver (*.mdb, *.accdb)};DBQ="+this.accessFileName+";";
this.con = DriverManager.getConnection(connURL, "","");
}
catch(Exception e)
{
e.printStackTrace();
}
}
public boolean close()
{
try{
con.close();
return true;
}
catch(Exception e)
{
e.printStackTrace();
return false;
}
}
}
並更改為Chestname func。 :
String ar[] = {schools[sc][1],events[ev][1],cat[ca][1],g2};
//ResultSet rs = db.exec("SELECT * FROM Pariticipants WHERE `school` = '"+schools[sc][1]+"' AND event = '"+events[ev][1]+"' AND category = '"+cat[ca][1]+"' AND gender = '"+g2+"'");
ResultSet rs = db.exec("SELECT * FROM Pariticipants WHERE `school` = ? AND `event` = ? AND `category` = ? AND `gender` = ?",ar);
面臨的錯誤:
java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver]COUNT field incorrect
不要通過串聯值來創建SQL
查詢。 在您的情況下,您將面臨SQL注入。 你的價值有特殊字符'
通過使用Access
。 避免這種做法。 而是使用PreparedStatement
。
Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/demo", "root", "root");
PreparedStatement userRecord_stmt = con.prepareStatement("SELECT * FROM Pariticipants WHERE `school` = ? AND event = ? AND category = ? AND gender = ?");
userRecord_stmt.setString(1,schools[sc][1]);
userRecord_stmt.setString(1,events[ev][1]);
userRecord_stmt.setString(1,cat[ca][1]);
userRecord_stmt.setString(1,g2);
ResultSet userRecord_rs = userRecord_stmt.executeQuery();
我不確定表的DataType
,因此在每種情況下都使用setString
。
我可能對此會引起批評,但是我使用函數q()自動引用字符串。 就像對所有參數進行參數化一樣安全,對於快速,骯臟的東西來說,它要干凈得多。
rs = db.exec("INSERT INTO Pariticipants ( school , name, event, category , gender ,chestname )
VALUES (" + q(schools[sc][1]) + "," + q(name) + "," + q(events[ev][1])
+ ","+ q(cat[ca][1]) + "," + q(g) + "," + q(cname) + ")");
Public Function q(i As Variant) As String
q = QuoteWithEscape(i, "'")
End Function
Public Function QuoteWithEscape(i As Variant, QuoteChar As String) As String
If QuoteChar = "" Then
QuoteWithEscape = CStr(i)
Exit Function
End If
If IsNull(i) Then
QuoteWithEscape = QuoteChar & QuoteChar
Else
If InStr(i, QuoteChar) = 0 Then
QuoteWithEscape = QuoteChar & i & QuoteChar
Else
QuoteWithEscape = QuoteChar & Replace(CStr(i), QuoteChar, QuoteChar & QuoteChar, , vbTextCompare) & QuoteChar
End If
End If
End Function
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.