Dev*_*xon 35 java mysql jdbc prepared-statement
这种方式对这个问题的答案似乎很难在互联网上找到.基本上我使用PreparedStatement将值插入MySQL数据库.我使用PreparedStatement来转义数据以防止SQL注入攻击.问题是,现在有办法撤回这些密钥.
String query="Insert INTO Table_A(name, age) (?, ?)";
//String query="Insert INTO Table_A(name, age) ('abc','123' )";//Doesn't escape
PreparedStatement prest;
prest = con.prepareStatement(query);
prest.setString(1,"abc");
prest.setInt(2,123);
prest.executeUpdate();
//prest.executeUpdate(query, PreparedStatement.RETURN_GENERATED_KEYS); Throws an error
//prest.executeQuery(); Throws an error
那么我怎样才能逃避输入并在Java中使用PreparedStatements?
小智 62
通过Statement.RETURN_GENERATED_KEYS在prepareStatement()你的查询一起.然后使用getGeneratedKeys()PreparedStatement来获取包含插入的auto_incremented_id的ResultSet.
String query="Insert INTO Table_A(name, age) (?, ?)";
//String query="Insert INTO Table_A(name, age) ('abc','123' )";//Doesn't escape
PreparedStatement prest;
prest = con.prepareStatement(query, Statement.RETURN_GENERATED_KEYS);
prest.setString(1,"abc");
prest.setInt(2,123);
prest.executeUpdate();
//prest.executeUpdate(query, PreparedStatement.RETURN_GENERATED_KEYS); Throws an error
//prest.executeQuery(); Throws an error
ResultSet rs = prest.getGeneratedKeys();
if(rs.next())
{
int last_inserted_id = rs.getInt(1);
}
如果不能使用RETURN_GENERATED_KEYS,请使用另一个语句(这次是查询)来执行
SELECT last_insert_id()
确保该表中确实有一个自动增量主键列。