我有一些Java代码
int userid = take user input;
然后执行以下sql语句,
Class.forName(dbdriver);
conn = DriverManager.getConnection(url, username, password);
st = conn.createStatement();
st.executeUpdate("select * from person where uid = userid" );
现在,我不知道返回的结果是什么null.我认为 where uid = userid是错误的结果,因为它正在搜索文字的uid值"userid".实际上,我想从人员表中检索有关用户提供的uid值的信息.任何人都可以帮我解决这个问题吗?
您应该使用prepare语句,因为它可以保护您免受SQL注入.您还可以通过在执行之前打印出sql语句来添加简单的日志记录,这样您就可以确定了.以下是示例课程,但您可以随意更改它.
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
public class DBAccess
{
PreparedStatement pstmt;
Connection con;
DBAccess() throws Exception
{
String dbdriver = "";
String url = "";
String username = "";
String password = "";
Class.forName(dbdriver);
con = DriverManager.getConnection(url, username, password);
}
public Person getPerson(int userid) throws Exception
{
pstmt = con.prepareStatement("select * from person where uid = ?");
pstmt.setInt(1, userid);
System.out.println("sql query " + pstmt.toString());
ResultSet rs = pstmt.executeQuery();
if (rs.next())
{
Person person = new Person();
person.setName(rs.getString("name"));
return person;
}
return null;
}
}
小智 5
你可以粘贴关于这个问题的整个代码块吗?以下是我的建议
int userid = get user id ;
Connection connection = get connection ;
String sql = "select * from person where uid=?";
PreparedStatement pstmt = connection.prepareStatement(sql);
pstmt.setInt(1,userid);
如果数据库有一个或多个uid字段等于userid的记录,则返回正确的结果
ResultSet rs = stmd.executeQuery("select * from person where uid = "+ userid);
while (rs.next()) {
System.out.println("Name= " + rs.getString(1));
}