Fatal编程技术网
  • java/
  • Java 也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的

Java 也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的

java sql oracle jdbc

Java 也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的,java,sql,oracle,jdbc,Java,Sql,Oracle,Jdbc,也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的

也许我用的是一个旧的驱动程序或者别的什么?像这样传递参数查询是个很糟糕的主意。它是sql注入的潜在受害者。oracle建议使用绑定变量。删除最后的
PreparedStatement getPotentialParents;

        sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM "
                + "(SELECT * FROM("
                + "SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID "
                + "FROM UNIQUE_CLINIC p "
                + "START WITH PARENT_ID IS NULL "
                + "CONNECT BY PRIOR UNIQUE_ID = PARENT_ID "
                + "ORDER BY ROOT_ID))" + "WHERE ROOT_ID <> " + rootID + " "
                + "AND (FSA = '" + FSA + "' "
                + "OR NAME IN (" + others + ") "
                + "OR ADDRESS_1 IN (" + others + ") "
                + "OR ADDRESS_2 IN (" + others + "));";


        System.out.println(sql);


        getPotentialParents = connection.prepareStatement(sql);
        rs = getPotentialParents.executeQuery();

SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM (SELECT * FROM(SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID FROM UNIQUE_CLINIC p START WITH PARENT_ID IS NULL CONNECT BY PRIOR UNIQUE_ID = PARENT_ID ORDER BY ROOT_ID))
WHERE ROOT_ID <> 10548 AND (FSA = 'null' OR NAME IN ('BRENNAN''S AWESOME PHARMACY #1', '38 SOLUTIONS DR', 'NULLNULLNULL') OR ADDRESS_1 IN ('BRENNAN''S AWESOME PHARMACY #1', '38 SOLUTIONS DR', 'NULLNULLNULL') OR ADDRESS_2 IN ('BRENNAN''S AWESOME PHARMACY #1', '38 SOLUTIONS DR', 'NULLNULLNULL'));

String FSA = rs.getString("FSA");
String rootID = String.valueOf((rs.getInt("ROOT_ID")));
String others = "'" + rs.getString("NAME").replace("'", "''") + "', '" + rs.getString("ADDRESS_1").replace("'", "''") + "', '" + rs.getString("ADDRESS_2").replace("'", "''") + "'";



    Statement getPotentialParents = connection.createStatement();

    sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM "
            + "(SELECT * FROM("
            + "SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID "
            + "FROM UNIQUE_CLINIC p "
            + "START WITH PARENT_ID IS NULL "
            + "CONNECT BY PRIOR UNIQUE_ID = PARENT_ID "
            + "ORDER BY ROOT_ID)) " + "WHERE ROOT_ID <> " + rootID + " "
            + "AND (FSA = '" + FSA + "' "
            + "OR NAME IN (" + others + ") "
            + "OR ADDRESS_1 IN (" + others + ") "
            + "OR ADDRESS_2 IN (" + others + "));";


    System.out.println(sql);
    rs = getPotentialParents.executeQuery(sql);

    sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM "
            + "(SELECT * FROM("
            + "SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID "
            + "FROM UNIQUE_CLINIC p "
            + "START WITH PARENT_ID IS NULL "
            + "CONNECT BY PRIOR UNIQUE_ID = PARENT_ID "
            + "ORDER BY ROOT_ID))" + "WHERE ROOT_ID <> " + rootID + " "
            + "AND (FSA = '" + FSA + "' "
            + "OR NAME IN (" + others + ") "
            + "OR ADDRESS_1 IN (" + others + ") "
            + "OR ADDRESS_2 IN (" + others + "));";


    System.out.println(sql);


    getPotentialParents = connection.createStatement(sql);
    rs = getPotentialParents.executeQuery();

VARIABLE rootid   NUMBER;
VARIABLE fsa      VARCHAR2(20);
VARIABLE name     VARCHAR2(20);
VARIABLE address1 VARCHAR2(200);
VARIABLE address2 VARCHAR2(200);

BEGIN
  :rootid   := 10548;
  :fsa      := 'null';
  :name     := 'BRENNAN''S AWESOME PHARMACY #1';
  :address1 := '38 SOLUTIONS DR';
  :address2 := 'NULLNULLNULL';
END;
/

SELECT UNIQUE_ID,
       NAME,
       ADDRESS_1,
       ADDRESS_2,
       POSTAL_CODE
FROM (
  SELECT *
  FROM   (
    SELECT p.*,
           CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID
    FROM   UNIQUE_CLINIC p
    START WITH PARENT_ID IS NULL
    CONNECT BY PRIOR UNIQUE_ID = PARENT_ID
    ORDER BY ROOT_ID
  )
)
WHERE ROOT_ID <> :rootid
AND   (   FSA       = :fsa
      OR  NAME      IN ( :name, :address1, :address2 )
      OR  ADDRESS_1 IN ( :name, :address1, :address2 )
      OR  ADDRESS_2 IN ( :name, :address1, :address2 )
      );

String sql = "SELECT UNIQUE_ID, NAME, ADDRESS_1, ADDRESS_2, POSTAL_CODE FROM ( SELECT * FROM ( SELECT p.*, CONNECT_BY_ROOT UNIQUE_ID AS ROOT_ID FROM UNIQUE_CLINIC p START WITH PARENT_ID IS NULL CONNECT BY PRIOR UNIQUE_ID = PARENT_ID ORDER BY ROOT_ID ) ) WHERE ROOT_ID <> :rootid AND ( FSA = :fsa OR NAME IN ( :name, :address1, :address2 ) OR ADDRESS_1 IN ( :name, :address1, :address2 ) OR ADDRESS_2 IN ( :name, :address1, :address2 ) )";

PreparedStatement ps=connection.prepareStatement( sql );
OraclePreparedStatement ops = (OraclePreparedStatement) ps;
ops.setStringAtName( "fsa", rs.getString("FSA") );
ops.setIntAtName( "rootid", rs.getInt("ROOT_ID") );
ops.setStringAtName( "name", rs.getString("NAME") );
ops.setStringAtName( "address1", rs.getString("ADDRESS_1") );
ops.setStringAtName( "address2", rs.getString("ADDRESS_2") );
ps.execute();