的Java SQL插入时间戳java.sql.SQLSyntaxErrorException

Question

我试图插入timestamp到我的数据库，但我不断收到java.sql.SQLSyntaxErrorException：

这里是我的代码

java.sql.Timestamp sqlDate = new java.sql.Timestamp(new java.util.Date().getTime()); 
System.out.println(sqlDate); 

这里插入并连接到DB

Connection conn = DriverManager.getConnection("jdbc:derby://localhost:1598/VotingDB", "app", "app"); 
    Statement st = conn.createStatement(); 
    String sql = "INSERT INTO VOTES (CANDIDATE_NAME,VOTER_SSN,TIMESTAMP) " 
      + "VALUES ('" + Candidate_Name + "','" + ssn + "'," + TimeStamp + ")"; 

    st.executeUpdate(sql); 
    st.close(); 
    conn.close(); 
} catch (SQLException ex) { 
    System.out.println("Connection failed adding vote " + ex); 
} 

错误

2017-04-09 20:10:02.825 Connection failed adding vote java.sql.SQLSyntaxErrorException: Syntax error: Encountered "20" at line 1, column 94.

Answer 1

你应该把你的时间''之间是这样的：

"VALUES ('" + Candidate_Name + "','" + ssn + "', ' " + TimeStamp + "')"; 

但这是不够安全，你必须在使用PreparedStatement代替，以避免任何SQL注入。

例如：

String sql = "INSERT INTO VOTES (CANDIDATE_NAME, VOTER_SSN, TIMESTAMP) VALUES (?, ?, ?)"; 

try (PreparedStatement stm = connection.prepareStatement(sql)) { 

    stm.setString(1, Candidate_Name); 
    stm.setString(2, ssn); 
    stm.setDate(3, TimeStamp); 

    stm.executeUpdate(); 
} 

Answer 2

难道你不应该用简单的引号括起TimeStamp变量吗？

String sql = "INSERT INTO VOTES (CANDIDATE_NAME,VOTER_SSN,TIMESTAMP) " 
    + "VALUES ('"+Candidate_Name +"','"+ssn +"','"+TimeStamp+"')";