使用变量containg的jdbc动态sql查询 [英] jdbc dymanic sql query with variable containg 's
本文介绍了使用变量containg的jdbc动态sql查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我之所以这样问,是因为我找不到答案.
I have asked this beacause i was not able to find the answer.
我在做什么
String selectTableSQL = "SELECT * FROM diseaseinfo WHERE diseaseName =""+diseaseName +'" AND name = '"+username+"'";
除非疾病直到不包含的这类单词,否则它运行得非常完美.
it is perfecty running unless and until diseases does not contain 's type of word like
Wilms的肿瘤
Wilms' tumor
艾迪生氏病
等...
像
SELECT * FROM diseaseinfo WHERE diseaseName = 'Adult Still's disease' AND name = 'add';
由于在'Adult Still's
并且在Java中,我也不能以String selectTableSQL = ' ';
开头字符串,它将始终位于String selectTableSQL = " ";
and also in java i cant start string with String selectTableSQL = ' ';
it will always be in String selectTableSQL = " ";
任何解决方案?
推荐答案
为避免这种情况以及任何语法错误或SQL注入,您必须改用PreparedStatement:
To avoid this case and any syntax error or SQL Injection you have to use PreparedStatement instead :
String selectTableSQL = "SELECT * FROM diseaseinfo WHERE col1 = ? and col2 = ?";
try (PreparedStatement ps = connection.prepareStatement(selectTableSQL)) {
ps.setString(1, value_1);
ps.setString(2, value_2);
ResultSet rs = ps.executeQuery();
while(rs.next()){
//...
}
}
这篇关于使用变量containg的jdbc动态sql查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文