我将字符串数组传递给PreparedStatement ..我正在使用mysql,jsp和存储过程

时间:2016-04-14 12:25:37

标签: mysql jsp

我将字符串数组传递给PreparedStatement。我使用的是mysql,jsp和存储过程,但它不是从数据库中获取数据:

 String searchbycategory[] = request.getParameterValues("category");

 StringBuilder sb= new StringBuilder();
 String filter = ""; 

 for(int i = 0; i < searchbycategory.length; i++) { 
     sb.append( "'"+searchbycategory[i]+"'," );
 }

 filter = sb.toString();
 filter = filter.substring(0, filter.length()-1);

 PreparedStatement pstmt = con.prepareStatement("{call some(?)}"); 
 pstmt.setString(1, filter);

 ResultSet resultset = pstmt.executeQuery();

1 个答案:

答案 0 :(得分:0)

如果 searchbycategory 的长度为1,则您的程序应按预期工作。 问题是你将输入字符串加入一个。

如果要在程序中阻止SQL注入, 每个 searchbycategory 都应映射到PrepareStatement中的一个参数。例如:

    String searchbycategory[] = request.getParameterValues("category");
    StringBuilder sb = new StringBuilder().append("select col_name from table_name where category in (");
    for (int i = 0; i < searchbycategory.length; i++) {
        sb.append("?,");
    }
    sb.setCharAt(sb.length()-1,')');
    PreparedStatement pstmt = con.prepareStatement(sb.toString());
    for (int i = 0; i < searchbycategory.length; i++) {
        pstmt.setString(i+1, searchbycategory[i]);
    }
    ResultSet resultset = pstmt.executeQuery();
相关问题
最新问题