Java 也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的
Java 也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的,java,sql,oracle,jdbc,Java,Sql,Oracle,Jdbc,也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的
也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的
您确定变量others包含引号吗?string others=“”+rs.getString(“NAME”)。replace(“”,“”)+”,“+rs.getString(“ADDRESS_1”)。replace(“”,“”)+”,“+rs.getString(“ADDRESS_2”)。replace(“,”)+”;这是另一个问题,但您确定要在FSA='null'上进行筛选吗?这样传递参数进行查询是非常糟糕的。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的您确定变量others包含引号吗?string others=“”+rs.getString(“NAME”)。replace(“”,“”)+”,“+rs.getString(“ADDRESS_1”)。replace(“”,“”)+”,“+rs.getString(“ADDRESS_2”)。replace(“,”)+”;这是另一个问题,但您确定要在FSA='null'上进行筛选吗?
PreparedStatement getPotentialParents;
sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM "
+ "(SELECT * FROM("
+ "SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID "
+ "FROM UNIQUE_CLINIC p "
+ "START WITH PARENT_ID IS NULL "
+ "CONNECT BY PRIOR UNIQUE_ID = PARENT_ID "
+ "ORDER BY ROOT_ID))" + "WHERE ROOT_ID <> " + rootID + " "
+ "AND (FSA = '" + FSA + "' "
+ "OR NAME IN (" + others + ") "
+ "OR ADDRESS_1 IN (" + others + ") "
+ "OR ADDRESS_2 IN (" + others + "));";
System.out.println(sql);
getPotentialParents = connection.prepareStatement(sql);
rs = getPotentialParents.executeQuery();
SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM (SELECT * FROM(SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID FROM UNIQUE_CLINIC p START WITH PARENT_ID IS NULL CONNECT BY PRIOR UNIQUE_ID = PARENT_ID ORDER BY ROOT_ID))
WHERE ROOT_ID <> 10548 AND (FSA = 'null' OR NAME IN ('BRENNAN''S AWESOME PHARMACY #1', '38 SOLUTIONS DR', 'NULLNULLNULL') OR ADDRESS_1 IN ('BRENNAN''S AWESOME PHARMACY #1', '38 SOLUTIONS DR', 'NULLNULLNULL') OR ADDRESS_2 IN ('BRENNAN''S AWESOME PHARMACY #1', '38 SOLUTIONS DR', 'NULLNULLNULL'));
String FSA = rs.getString("FSA");
String rootID = String.valueOf((rs.getInt("ROOT_ID")));
String others = "'" + rs.getString("NAME").replace("'", "''") + "', '" + rs.getString("ADDRESS_1").replace("'", "''") + "', '" + rs.getString("ADDRESS_2").replace("'", "''") + "'";
Statement getPotentialParents = connection.createStatement();
sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM "
+ "(SELECT * FROM("
+ "SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID "
+ "FROM UNIQUE_CLINIC p "
+ "START WITH PARENT_ID IS NULL "
+ "CONNECT BY PRIOR UNIQUE_ID = PARENT_ID "
+ "ORDER BY ROOT_ID)) " + "WHERE ROOT_ID <> " + rootID + " "
+ "AND (FSA = '" + FSA + "' "
+ "OR NAME IN (" + others + ") "
+ "OR ADDRESS_1 IN (" + others + ") "
+ "OR ADDRESS_2 IN (" + others + "));";
System.out.println(sql);
rs = getPotentialParents.executeQuery(sql);
sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM "
+ "(SELECT * FROM("
+ "SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID "
+ "FROM UNIQUE_CLINIC p "
+ "START WITH PARENT_ID IS NULL "
+ "CONNECT BY PRIOR UNIQUE_ID = PARENT_ID "
+ "ORDER BY ROOT_ID))" + "WHERE ROOT_ID <> " + rootID + " "
+ "AND (FSA = '" + FSA + "' "
+ "OR NAME IN (" + others + ") "
+ "OR ADDRESS_1 IN (" + others + ") "
+ "OR ADDRESS_2 IN (" + others + "));";
System.out.println(sql);
getPotentialParents = connection.createStatement(sql);
rs = getPotentialParents.executeQuery();
VARIABLE rootid NUMBER;
VARIABLE fsa VARCHAR2(20);
VARIABLE name VARCHAR2(20);
VARIABLE address1 VARCHAR2(200);
VARIABLE address2 VARCHAR2(200);
BEGIN
:rootid := 10548;
:fsa := 'null';
:name := 'BRENNAN''S AWESOME PHARMACY #1';
:address1 := '38 SOLUTIONS DR';
:address2 := 'NULLNULLNULL';
END;
/
SELECT UNIQUE_ID,
NAME,
ADDRESS_1,
ADDRESS_2,
POSTAL_CODE
FROM (
SELECT *
FROM (
SELECT p.*,
CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID
FROM UNIQUE_CLINIC p
START WITH PARENT_ID IS NULL
CONNECT BY PRIOR UNIQUE_ID = PARENT_ID
ORDER BY ROOT_ID
)
)
WHERE ROOT_ID <> :rootid
AND ( FSA = :fsa
OR NAME IN ( :name, :address1, :address2 )
OR ADDRESS_1 IN ( :name, :address1, :address2 )
OR ADDRESS_2 IN ( :name, :address1, :address2 )
);
String sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM ( SELECT * FROM ( SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID FROM UNIQUE_CLINIC p START WITH PARENT_ID IS NULL CONNECT BY PRIOR UNIQUE_ID = PARENT_ID ORDER BY ROOT_ID ) ) WHERE ROOT_ID <> :rootid AND ( FSA = :fsa OR NAME IN ( :name, :address1, :address2 ) OR ADDRESS_1 IN ( :name, :address1, :address2 ) OR ADDRESS_2 IN ( :name, :address1, :address2 ) )";
PreparedStatement ps=connection.prepareStatement( sql );
OraclePreparedStatement ops = (OraclePreparedStatement) ps;
ops.setStringAtName( "fsa", rs.getString("FSA") );
ops.setIntAtName( "rootid", rs.getInt("ROOT_ID") );
ops.setStringAtName( "name", rs.getString("NAME") );
ops.setStringAtName( "address1", rs.getString("ADDRESS_1") );
ops.setStringAtName( "address2", rs.getString("ADDRESS_2") );
ps.execute();