检查用户是否存在,Java,JDBC和MySQL

Question

我正在尝试检查我的数据库中是否存在用户,然后为用户执行一些验证过程,如果没有返回入侵者消息.我正在使用Java和MySQL来达到这个目的.这是我的代码.

public class Check{

    public boolean isPresent(){
        connect();// private method that connects to db
        boolean isAvailable = false;
        String query = "SELECT EXISTS(SELECT 1 FROM students WHERE matric =" + this.myId + ")"; // this.myId has been passed into the constructor

        try{
            Statement statement;
            ResultSet resultSet;
            statement = connection.createStatement();
            resultSet = statement.executeQuery(query);
            if(resultSet.absolute(1)){
                isAvailable = true;
            }else{
                isAvailable = false;
        }catch(SQLException e){
            e.printStackTrace();
        }finally{
         closeConnection();// private method that closes connection
         return isAvailable;
    }

}

我已经检查过这样的解决方案,但似乎没有解决这个问题.我得到的错误是:"where子句中的未知列CCE",JDBC API中还有其他错误.在我看来,就像我从传承人那里传来的价值一样,有些东西被截断了.

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'CCE' in 'where clause'
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
        at java.lang.reflect.Constructor.newInstance(Unknown Source)
        at com.mysql.jdbc.Util.handleNewInstance(Util.java:400)
        at com.mysql.jdbc.Util.getInstance(Util.java:383)
        at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:980)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3847)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3783)
        at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2447)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2594)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2541)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2499)
        at com.mysql.jdbc.StatementImpl.executeQuery(StatementImpl.java:1432) 

Answer 1

从简易修复到正确

1 - 引用您的ID将修复您的SQL错误(添加'around id)

String query = "SELECT EXISTS(SELECT 1 FROM students WHERE matric = '" + this.myId + "')"; // this.myId has been passed into the constructor

但是,仍然使用子选择存在？为什么不直接让学生？

2 - 删除子选择

String query = "SELECT * FROM students WHERE matric = '" + this.myId + "'"; 
try{
        Statement statement;
        ResultSet resultSet;
        statement = connection.createStatement();
        resultSet = statement.executeQuery(query);
        if(resultSet.next()){
            isAvailable = true;
        }else{
            isAvailable = false;
        } //Missing in your code

3. 使用准备好的Statement来防止SQL注入

想想my ...就像... myId = "killer'); DROP TABLE STUDENTS; --"- 你不想这样执行.

String query = "SELECT * FROM students WHERE matric = ?"; 
try{
        PreparedStatement statement;
        ResultSet resultSet;
        statement = connection.prepareStatement(query);
        statement.setString(1, myId);
        resultSet = statement.executeQuery();

4. 尝试使用Ressource并提高可读性

通过使用try-with-resource,您可以摆脱大多数捕获:

String query = "SELECT * FROM students WHERE matric = ?"; 
try (PreparedStatement statement = connection.prepareStatement(query)) {
        statement.setString(1, myId);
        try(ResultSet resultSet = statement.executeQuery()) {
          return rs.next();
        }
} catch(SQLException se) {
   se.printStackTrace();
   return false;
}