使用变量containg的jdbc动态sql查询 [英] jdbc dymanic sql query with variable containg 's

问题描述

我之所以这样问，是因为我找不到答案.

I have asked this beacause i was not able to find the answer.

我在做什么

 String selectTableSQL = "SELECT * FROM diseaseinfo WHERE diseaseName =""+diseaseName +'" AND name = '"+username+"'";

除非疾病直到不包含的这类单词，否则它运行得非常完美.

it is perfecty running unless and until diseases does not contain 's type of word like

Wilms的肿瘤

Wilms' tumor

艾迪生氏病

等...

像

SELECT * FROM diseaseinfo WHERE diseaseName = 'Adult Still's disease' AND name = 'add';

由于在'Adult Still's

并且在Java中，我也不能以String selectTableSQL = ' ';开头字符串，它将始终位于String selectTableSQL = " ";

and also in java i cant start string with String selectTableSQL = ' '; it will always be in String selectTableSQL = " ";

任何解决方案?

推荐答案

为避免这种情况以及任何语法错误或SQL注入，您必须改用PreparedStatement:

To avoid this case and any syntax error or SQL Injection you have to use PreparedStatement instead :

String selectTableSQL = "SELECT * FROM diseaseinfo WHERE col1 = ? and col2 = ?";
try (PreparedStatement ps = connection.prepareStatement(selectTableSQL)) {

    ps.setString(1, value_1);
    ps.setString(2, value_2);
    ResultSet rs = ps.executeQuery();
    while(rs.next()){
        //...
    }
}

这篇关于使用变量containg的jdbc动态sql查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！