Grails 使用groovy.sql.sql进行查询不起作用,但可以使用MySQLWorkbench进行查询
我正在使用Grails,通过使用groovy.sql.sql使用MySQL 我确实在我的控制器中进行了查询,但它不起作用。当我复制sql代码以在mySQL工作台中运行时,它工作正常 这是我在控制器中的代码Grails 使用groovy.sql.sql进行查询不起作用,但可以使用MySQLWorkbench进行查询,grails,groovy,Grails,Groovy,我正在使用Grails,通过使用groovy.sql.sql使用MySQL 我确实在我的控制器中进行了查询,但它不起作用。当我复制sql代码以在mySQL工作台中运行时,它工作正常 这是我在控制器中的代码 def createSomething(){ def sql = new Sql(dataSource) def Title = params.playlistName def StartDate = params.startDate def EndDate = params.
def createSomething(){
def sql = new Sql(dataSource)
def Title = params.playlistName
def StartDate = params.startDate
def EndDate = params.endDate
def map = [title:Title, start:StartDate, end:EndDate]
sql.execute (
"START TRANSACTION;"+
"BEGIN;"+
"INSERT INTO playlist (`name`) VALUES ('$map.title');"+
"SELECT playlist.id from playlist where playlist.name = '$map.title' INTO @playlistId;"+
"INSERT INTO playlist_has_media(`idMedia`,`order`,`idPlaylist`)VALUES(1,1,@playlistId),(2,2,@playlistId),(3,3,@playlistId);"+
"INSERT INTO schedule(`name`,`startDate`,`endDate`,`idPlaylist`,`isSync`)VALUES('$map.title', '$map.start', '$map.end', @playlistId, 1);"+
"COMMIT;"
)
}
它向我显示了一个错误,但我将打印的sql代码复制到mySQL工作台上运行。成功了。尝试删除单引号:
def createSomething(){
def sql = new Sql(dataSource)
def Title = params.playlistName
def StartDate = params.startDate
def EndDate = params.endDate
def map = [title:Title, start:StartDate, end:EndDate]
sql.execute (
"START TRANSACTION;"+
"BEGIN;"+
"INSERT INTO playlist (`name`) VALUES ($map.title);"+
"SELECT playlist.id from playlist where playlist.name = $map.title INTO @playlistId;"+
"INSERT INTO playlist_has_media(`idMedia`,`order`,`idPlaylist`)VALUES(1,1,@playlistId),(2,2,@playlistId),(3,3,@playlistId);"+
"INSERT INTO schedule(`name`,`startDate`,`endDate`,`idPlaylist`,`isSync`)VALUES($map.title, $map.start, $map.end, @playlistId, 1);"+
"COMMIT;"
)
}
也许你可以让它更棒
sql.withTransaction {stmt ->
def playlistId = sql.executeInsert("INSERT INTO playlist (`name`) VALUES ($map.title);")
sql.executeInsert("INSERT INTO playlist_has_media(`idMedia`,`order`,`idPlaylist`)VALUES(1,1,$playlistId),(2,2,$playlistId),(3,3,$playlistId);")
sql.executeInsert("INSERT INTO schedule(`name`,`startDate`,`endDate`,`idPlaylist`,`isSync`)VALUES($map.title, $map.start, $map.end, $playlistId, 1);")
}
能否发布错误?是否在sql查询中传递用户提供的字符串?这对于SQL注入攻击具有很大的潜力。