javaselectwhere_Java带有where⼦句的SQLselect语句如何在没有硬编码值的情况下编写此sql语句?
resultSet = statement
.executeQuery("select * Table where name = 'john'");
// this works
⽽是有类似的东西:
String name = "john";
resultSet = statement
.executeQuery("select * Table where name =" + name);
基本的sql语句有哪些// Unknown column 'john' in 'where clause' at
// .
提前致谢..
以您当前的⽅式构建SQL查询通常是⼀个糟糕的主意,因为它为各种SQL注⼊攻击打开了⼤门.要正确执⾏此操作,您必须使⽤
Prepared Statements.这也将解决您⽬前显⽽易见的各种逃避问题.
PreparedStatement statement = connection.prepareStatement("select * Table where name = ?");
statement.setString(1, name);
ResultSet resultSet = uteQuery();
请注意,prepareStatement()是⼀个昂贵的调⽤(除⾮您的应⽤程序服务器使⽤语句缓存和其他类似的⼯具).从理论上讲,最好是准备⼀次语句,然后多次重复使⽤它(尽管不是同时使⽤):
String[] names = new String[] {"Isaac", "Hello"};
PreparedStatement statement = connection.prepareStatement("select * Table where name = ?");
for (String name: names) {
statement.setString(1, name);
ResultSet resultSet = uteQuery();
...
...
statement.clearParameters();
}