有一个 mySQL 错误,未知列 where 子句 [英] Having a mySQL error, unknown column where clause
问题描述
我目前在从 mySQL 数据库中选择某个项目时遇到问题.我的程序旨在将参数从 android 应用程序传递到 servlet,然后该 servlet 查询数据库.
I am currently having a problem selecting a certain item from a mySQL database. My program is designed to pass a parameter from an android application to a servlet which then queries the database.
但是控制台窗口出现错误:where 子句"中的未知列0102310c24"
However an error appears on the console window: Unknown column '0102310c24' in 'where clause'
只有当我要选择的值包含字母时才会出现错误.
There is only an error when the value I want to select contains a letter.
当我查询这个号码0106172459时,我想要的数据没有问题返回.
When I query this number 0106172459, the data I want is returned without a problem.
下面是我的 servlet.
Below is my servlet.
import java.io.*;
import java.util.*;
import javax.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class DBServlet extends HttpServlet {
public void service(HttpServletRequest request,HttpServletResponse response)
throws IOException, ServletException{
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String x=request.getParameter("item");
Connection con = null;
Statement stmt = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver");
con =DriverManager.getConnection ("jdbc:mysql://IP/databasename", "username", "password");
stmt = con.createStatement();
rs = stmt.executeQuery("SELECT * FROM items WHERE item="+x);
// displaying records
while(rs.next()){
out.print(rs.getObject(1).toString());
out.print(",");
out.print(rs.getObject(2).toString());
out.print(",");
out.print(rs.getObject(3).toString());
out.print(",");
out.print(rs.getObject(4).toString());
out.print(",");
out.print(rs.getObject(5).toString());
out.print(",");
out.print(rs.getObject(6).toString());
out.print(",");
out.print(rs.getObject(7).toString());
out.print(",");
out.print(rs.getObject(8).toString());
out.print(",");
out.print("\n");
}
} catch (SQLException e) {
throw new ServletException("Servlet Could not display records.", e);
} catch (ClassNotFoundException e) {
throw new ServletException("JDBC Driver not found.", e);
} finally {
try {
if(rs != null) {
rs.close();
rs = null;
}
if(stmt != null) {
stmt.close();
stmt = null;
}
if(con != null) {
con.close();
con = null;
}
} catch (SQLException e) {}
}
out.close();
}
}
我用它来将值发送到 servlet.
and I use this to send the value to the servlet.
List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>();
nameValuePair.add(new BasicNameValuePair("item","List<NameValuePair> nameValuePair = new ArrayList<NameValuePair>();
nameValuePair.add(new BasicNameValuePair("item","010238a2cc"));"));
如果有人能帮忙,我将不胜感激
I will be thankful if anyone could help
推荐答案
值 x
应该用引号引起来,否则一个非数字值将被假定为引用一个列而不是一个字符串文字.
The value x
should be enclosed in quotes, or a non-numeric value would be assumed to refer to a column rather than a string literal.
rs = stmt.executeQuery("SELECT * FROM items WHERE item='"+x + "'");
请注意,您的脚本似乎容易受到 SQL 注入的攻击,因为值 x
尚未转义,而是从 Request
中收到的.这里最好使用准备好的语句.
Note that your script appears to be vulnerable to SQL injection, as the value x
has not been escaped but was received from the Request
. It would be better to use a prepared statement here.
这篇关于有一个 mySQL 错误,未知列 where 子句的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!