Java JSP中的where子句SQL
谁能告诉我为什么我的SQL语句不能在JSP中工作。我将字符串的输出复制到oracle,它可以按预期工作。这句话对吗Java JSP中的where子句SQL,java,sql,oracle,jsp,Java,Sql,Oracle,Jsp,谁能告诉我为什么我的SQL语句不能在JSP中工作。我将字符串的输出复制到oracle,它可以按预期工作。这句话对吗 ResultSet rs = stmt.executeQuery("SELECT disc||crs_num FROM crs_sec_schedule_reader where'" +sqlString+"' "); 以下是代码的详细信息: String sqlString; sqlString = "crs_sec_schedule_reader.semester = '"
ResultSet rs = stmt.executeQuery("SELECT disc||crs_num FROM crs_sec_schedule_reader where'" +sqlString+"' ");
String sqlString;
sqlString = "crs_sec_schedule_reader.semester = '" + semesterAdjusted+"' ";
if(!department.equals( "Select All"))
{
sqlString += " and discipline_schedule_reader.discipline_name = '" + department+"'";
}
if (div_undr.equals("null") && div_grad.equals("G"))
{
sqlString += "and crs_sec_schedule_reader.D_E_G ='" + "G"+"'";
}
else if (div_undr .equals("U") && div_grad.equals( "null"))
{
sqlString += " and (crs_sec_schedule_reader.D_E_G = '"+ "D" +"' or
crs_sec_schedule_reader.D_E_G ='" + "E"+"')";
}
else
{
sqlString += "and (crs_sec_schedule_reader.D_E_G = '" + "D" + "' or
crs_sec_schedule_reader.D_E_G ='" + "E"+"'or crs_sec_schedule_reader.D_E_G = '"+"G"
+"') ";
}
.....
ResultSet rs = stmt.executeQuery("SELECT disc||crs_num FROM crs_sec_schedule_reader
where'" +sqlString+"' ");
删除
sqlStringResultSet rs = stmt.executeQuery("SELECT disc||crs_num FROM crs_sec_schedule_reader where'" +sqlString+"' ");
ResultSet rs = stmt.executeQuery("SELECT disc||crs_num FROM "
+ "crs_sec_schedule_reader where " +sqlString);
您在
之后缺少空格引号,请使用下面的语句
stmt.executeQuery("SELECT disc||crs_num FROM crs_sec_schedule_reader where '" +sqlString+"' ");
或
sqlString=“crs\u sec\u schedule\u reader.sement=”+
semesterAdjusted+“'”
我觉得后面的那句话很可疑
你最终会得到
where 'crs_blah_blah ......
但是按照Matt的建议去做——打印完整的sql语句,看看它是什么样子。这些事情总是很棘手。空格应该放在WHERE子句之后
(其中条件)
使用Prepared语句防止SQL注入。请尝试以下示例:
String selectSQL = "SELECT USER_ID, USERNAME FROM DBUSER WHERE USER_ID = ?";
PreparedStatement preparedStatement = dbConnection.prepareStatement(selectSQL);
preparedStatement.setInt(1, 1001);
ResultSet rs = preparedStatement.executeQuery(selectSQL );
while (rs.next()) {
String userid = rs.getString("USER_ID");
String username = rs.getString("USERNAME");
}
打印出生成的完整SQL语句,仔细查看并发布在这里。我很有信心。记住他的sqlString
也包含单引号。确保在where后面也有一个空格。
String selectSQL = "SELECT USER_ID, USERNAME FROM DBUSER WHERE USER_ID = ?";
PreparedStatement preparedStatement = dbConnection.prepareStatement(selectSQL);
preparedStatement.setInt(1, 1001);
ResultSet rs = preparedStatement.executeQuery(selectSQL );
while (rs.next()) {
String userid = rs.getString("USER_ID");
String username = rs.getString("USERNAME");
}