将变量插入sql语句 [英] Inserting variables into sql statement
本文介绍了将变量插入sql语句的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
int sap;
String empname;
String subject;
System.out.println( 输入名称和值);
sap = s1.nextInt();
empname = s1.nextLine();
subject = s1.nextLine();
ResultSet resultSet = statement.executeQuery( 插入训练(Sapid,name,Stream) )值( + sap +, ' + empname +',' +主题+'));
我在上述声明中出现语法错误,帮助,请
解决方案
问题不在于语法错误。整个想法都错了。您从用户获取字符串并将它们连接起来以组成查询。 永远不要这样做。这非常危险,因为它可以是任何东西,包括......一个SQL语言片段。它可以引导您解决这种情况:
http://xkcd.com/327 [ ^ ]。
我希望你有这个想法。这是一个众所周知的漏洞,称为 SQL注入;并打开了这个漏洞的大门。请参阅: http://en.wikipedia.org/wiki/SQL_injection [ ^ ]。
上面的文章参考也是解释了解决此问题应该采取的措施:使用参数化语句。请参阅:
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java [ ^ ]。
-SA
两个双引号错位。
ResultSet resultSet = statement.executeQuery(插入训练(Sapid,name,Stream)值(+ sap +,+ empname +','+ subject +')) ;
int sap;
String empname;
String subject;
System.out.println("enter the name and values");
sap=s1.nextInt();
empname=s1.nextLine();
subject=s1.nextLine();
ResultSet resultSet = statement.executeQuery("insert into training(Sapid,name,Stream") values("+sap+",'"+empname+"','"+subject+"'));
Im getting a syntax error with the above statment, help, pls.
解决方案
The problem is not the syntax error. The whole idea is wrong. You get the strings from the user and concatenate them to compose a query. Never ever do so. This is very dangerous, because it can be anything, including… an SQL language fragment. It can lead you to this situation:
http://xkcd.com/327[^].
I hope you got the idea. This is a very well known exploit called SQL injection; and you open the doors open to this exploit. Please see: http://en.wikipedia.org/wiki/SQL_injection[^].
The article reference above also explains what you should do to solve this problem: use parametrized statements. Please see:
https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java[^].
—SA
Two double quotes have been misplaced.
ResultSet resultSet = statement.executeQuery("insert into training(Sapid,name,Stream) values("+sap+",'"+empname+"','"+subject+"')");
这篇关于将变量插入sql语句的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
