无法在JDBC PreparedStatement上的单引号内转义参数

Question

无法在JDBC PreparedStatement上的单引号内转义参数

我想通过JDBC进行这样的查询(注意它包含一些postgis函数):

SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT(-5.8340534 43.3581991)'), 1000000);

Run Code Online (Sandbox Code Playgroud)

所以我将查询参数化为:

SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT(? ?)'), ?);

Run Code Online (Sandbox Code Playgroud)

问题是,当执行preparedStament时,它找不到前两个参数,因为它们在单引号内,因此它给出了一个错误.

我还试图用"没有成功"的单引号来逃避:

SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText(\'SRID=4326;POINT(? ?)\'), ?);

Run Code Online (Sandbox Code Playgroud)

现在,作为一种解决方法,我没有绑定参数,只是将查询字符串附加到它们,但这很容易受到SQL注入,所以我只想知道是否有任何方法可以逃避该句子以使参数绑定工作.

Answer 1

Pab*_*blo 6

问我自己,我正在使用字符串concat:

"SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT(' || ? || ' ' || ? || ')'), ?);"

Run Code Online (Sandbox Code Playgroud)

归档时间：	11 年，4 月前
查看次数：	1692 次
最近记录：	11 年，4 月前