Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/361.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
java内部的Oracle查询_Java_Jdbc - Fatal编程技术网
Fatal编程技术网
  • java/
  • java内部的Oracle查询

java内部的Oracle查询

java jdbc

java内部的Oracle查询,java,jdbc,Java,Jdbc,最后一个查询显示一个错误: String sql = "INSERT INTO Student_Info(name,roll_no,address,phone_no) VALUES('101', 1, 'Fatma', '25')"; String sql = "insert into Student_Info(name,roll_no,address,phone_no) VALUES("+student.getName()+","+student.getRoll_no()+","+stude

最后一个查询显示一个错误:

String sql = "INSERT INTO Student_Info(name,roll_no,address,phone_no) VALUES('101', 1, 'Fatma', '25')";

String sql = "insert into Student_Info(name,roll_no,address,phone_no) VALUES("+student.getName()+","+student.getRoll_no()+","+student.getAddress()+","+student.getPhone_no()+")";

有人能排除我在哪里漏掉了逗号吗?

你漏掉了student.name、student.address和student.phone\u no周围的单引号

statement.executeUpdate(sql);
请注意,此sql语句容易受到sql注入攻击。使用一个

雷内的回答是正确的。不过,我想补充一点:

使用

您的代码看起来像:

  String sql = "insert into Student_Info(name,roll_no,address,phone_no) " +
               "VALUES(?,?,?,?)"; 

  addStudent = con.prepareStatement(sql);
  addStudent.setString(1, student.getName());
  addStudent.setInt(2, student.getRoll_no());
  addStudent.setString(3, student.getAddress());
  addStudent.setString(4, student.getPhone_no());
  addStudent.executeUpdate();
  con.commit();
这样做:

String sql = "INSERT INTO Student_Info(?,?,?,?) VALUES(?,?,?,?)"

PreparedStatement sql_prepared = connection_object.prepareStatement(sql)
不要使用原始语句,而是使用PreparedStatements 1。原始语句的性能较低,更容易受到攻击(SQL注入攻击),最重要的是代码的可读性非常低(特别是在列数较多的情况下)

1更安全、预编译、性能更好、用户可读性更好……

您不会缺少逗号。您忘记引用变量(student.getName()等)。您应该使用
PreparedStatement
,而不是串联字符串;看见 
  String sql = "insert into Student_Info(name,roll_no,address,phone_no) " +
               "VALUES(?,?,?,?)"; 

  addStudent = con.prepareStatement(sql);
  addStudent.setString(1, student.getName());
  addStudent.setInt(2, student.getRoll_no());
  addStudent.setString(3, student.getAddress());
  addStudent.setString(4, student.getPhone_no());
  addStudent.executeUpdate();
  con.commit();

String sql = "INSERT INTO Student_Info(?,?,?,?) VALUES(?,?,?,?)"

PreparedStatement sql_prepared = connection_object.prepareStatement(sql)

String sql = "insert into Student_Info(name, roll_no, address, phone_no) 
              VALUES(?, ?, ?, ?)";
PreparedStatement ps = con.prepareStatement(sql);
ps.setString(1, value); // indexing starts from 1 (not from zero)
...
ps.executeUpdate();
// commit if you have set auto-commit to false