1. 首页
  2. 问答
  3. 将数据插入数据库Java JDBC

将数据插入数据库Java JDBC

2017-11-25 312 views
0

我正在学习Java JDBC,并且正在使用循环将数据存储到数据库(mySQL db)中。 当我存储第一名称和个人的姓氏,它似乎工作正常,但是当我尝试插入电子邮件地址,我得到以下错误:将数据插入数据库Java JDBC

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@123.com)'

据我所知,除非我错过了一些不可思议的东西,我看不出有什么语法错误?

我的代码如下:

import java.sql.*; 
import java.util.ArrayList; 
import java.util.Arrays; 

public class Driver { 
    public static void main(String[] args) { 
     try{ 
      Connection myConn = DriverManager.getConnection("jdbc:mysql://localhost:8889/demo","root","root"); 
      Statement myStmt = myConn.createStatement(); 
      ArrayList<String> firstNames = new ArrayList<String>(Arrays.asList("James", "John","Mark")); 
      ArrayList<String> lastNames = new ArrayList<String>(Arrays.asList("Handly", "licks","manford")); 
      ArrayList<String> emails = new ArrayList<String>(Arrays.asList("[email protected]", "[email protected]","[email protected]")); 

      for (int i = 0; i < firstNames.size(); i++){ 
       String sql = "INSERT INTO EMPLOYEES (first_name,last_name,email) VALUES (" + firstNames.get(i)+ ", " + lastNames.get(i) + ", " + emails.get(i) + ");"; 
       myStmt.executeUpdate(sql); 
      } 
      ResultSet myRes = myStmt.executeQuery("select * from Employees"); 
      while(myRes.next()){ 
       System.out.println(myRes.getString("first_name")+", "+ myRes.getString("last_name")); 
      } 
     }catch(Exception e){ 
      e.printStackTrace(); 
     } 
    } 
}

当我试图在一个时间例如插入数据的一个

String sql = "INSERT INTO EMPLOYEES (first_name,last_name,email) VALUES ('John','test','[email protected]')"; 
myStmt.executeUpdate(sql);

这工作正常,所以我很困惑,为什么数据没有正确传递。 谢谢!

编辑: 承蒙@scaisEdge和@ A.A反馈,尽管我一直在寻找做工作,用字符串文本的修补程序是一个BAD主意,因为这打开了SQL注入。 反过来,我现在修改了我的代码,使用Prepared语句(@ A.A的答案),它已经工作了,并且问题少得多!

新的代码如下:

import java.sql.*; 
import java.util.ArrayList; 
import java.util.Arrays; 

public class Driver { 
    public static void main(String[] args) { 

     Connection myConn = null; 
     PreparedStatement myStmt = null; 
     ResultSet myRs = null; 
     try{ 
      //1.get connection to db 
      myConn = DriverManager.getConnection("jdbc:mysql://localhost:8889/demo","root","root"); 

      ArrayList<String> firstNames = new ArrayList<String>(Arrays.asList("James", "John","Mark")); 
      ArrayList<String> lastNames = new ArrayList<String>(Arrays.asList("Handly", "licks","manford")); 
      ArrayList<String> emails = new ArrayList<String>(Arrays.asList("[email protected]", "[email protected]","[email protected]")); 
      for (int i = 0; i < firstNames.size(); i++){ 

       //Insert Query 
       myStmt = myConn.prepareStatement("INSERT INTO EMPLOYEES (first_name,last_name,email) VALUES (?,?,?)"); 

       myStmt.setString(1,firstNames.get(i)); 
       myStmt.setString(2,lastNames.get(i)); 
       myStmt.setString(3,emails.get(i)); 
       myStmt.execute(); 
      } 
      ResultSet myRes = myStmt.executeQuery("select * from Employees"); 
      while(myRes.next()){ 
       System.out.println(myRes.getString("first_name")+", "+ myRes.getString("last_name")); 
      } 
      myConn.close(); 
     }catch(Exception e) { 
      e.printStackTrace(); 
     } 
    } 
}

来源

2017-11-25 carl saptarshi

+3

您跳过字符串单引号值 – rpc1

+0

利用PreparedStatement(https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html)至像这样的狂热问题。它会自动为您添加引号并转义可能导致语句失效的事物。 – Pshemo

+0

我刚刚在该文档页面中偶然发现,同时寻找答案并准备尝试下一步:)谢谢! –

回答

5

我也建议使用准备好的语句,它不仅是更具可读性,也可以防止你的SQL注入攻击。更多信息here

例子:

preparedStatement = connection.prepareStatement("INSERT INTO EMPLOYEES (fname, lname, email) VALUES (?, ?, ?)"); 
preparedStatement.setString(1, person.getFName()); 
preparedStatement.setString(2, person.getLName()); 
preparedStatement.setString(2, person.getEmail());

来源

2017-11-25 17:10:11

相关问题

 相关问题