Java SQL查询的WHERE子句中存在错误,
我在此代码中有一个错误:Java SQL查询的WHERE子句中存在错误,,java,sql,oracle,Java,Sql,Oracle,我在此代码中有一个错误: public List<AvailableTest> srchInTestsInDb(String search, String catg) { try { Connection conn = Dbconn.Connect(); System.out.println(catg); String sql = "SELECT * " + "FROM
public List<AvailableTest> srchInTestsInDb(String search, String catg) {
try
{
Connection conn = Dbconn.Connect();
System.out.println(catg);
String sql = "SELECT * "
+ "FROM AVAILABLE_TESTS "
+ "WHERE TST_CATAGORY="+catg+"";
// + "TST_NAME LIKE '"+search+"%'";// AND TST_CATAGORY ="+catg+"";
Statement statement = conn.createStatement();
ResultSet rs = statement.executeQuery(sql);
List<AvailableTest> testList = new ArrayList<AvailableTest>();
while (rs.next())
{
AvailableTest newtest = new AvailableTest();
newtest.setTstNo(rs.getInt("TST_NO"));
newtest.setTstName(rs.getString("TST_NAME"));
newtest.setTstCatagory(rs.getString("TST_CATAGORY"));
newtest.setTstNormalValue(rs.getString("TST_NORMALVAL"));
testList.add(newtest);
}
return testList;
}
catch (SQLException ex)
{
Logger.getLogger(DbHandeler.class.getName()).log(Level.SEVERE, null, ex);
return null;
}
}
当我打印catg时,它会打印我在查询中需要的化学元素,但它不起作用。它应该在TST_CATAGORY='+catg+'的位置,因为字符串参数应该在引号中
也就是说,这是一种非常糟糕的做法,您将面临SQL注入的风险。使用事先准备好的陈述:
String sql = "SELECT * "
+ "FROM AVAILABLE_TESTS "
+ "WHERE TST_CATAGORY=?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString (1, catg);
ResultSet res = stmt.executeQuery ();;
甲骨文正在考虑将CHEM列为一个名称,因为它没有被引用。要使Oracle将其视为字符串,请使用单引号
String sql = "SELECT * "
+ "FROM AVAILABLE_TESTS "
+ "WHERE TST_CATAGORY='"+catg+"'";
尝试:
因为catg的内容是一个字符串,所以在SQL查询中它也应该用引号括起来。我假设TST_CATAGORY=+catg+;是一根线。。。所以不应该是。。。TST_分类='+catg+';你没有引用你传递的字符串。您可以通过使用参数化查询来避免这种情况,比如SQL注入。
String sql = "SELECT * "
+ "FROM AVAILABLE_TESTS "
+ "WHERE TST_CATAGORY='"+catg+"'";
String sql = "SELECT * "
+ "FROM AVAILABLE_TESTS "
+ "WHERE TST_CATAGORY='"+catg+"';";