我正在使用预准备语句来保护我的sql查询免受sql注入攻击。该声明在另一篇文章中提出,我按照指示实施。我现在在更新查询运行时收到错误。它只发生在我的程序的几个步骤。这是代码的一部分和一个详细说明错误的注释区域。如果我需要发布整个程序,请告诉我。
以下是摘录:
String updateQuery ="" + " Update student"
+ "Set firstname = ?, "
+ " lastname = ?, "
+ " gpa = ? "
+ " status = ?, "
+ " mentor = ?, "
+ " level = ?, "
+ " thesisTitle = ?, "
+ " thesisAdvisor = ?, "
+ " company = ?, "
+ "Where studentid = ? ";
//This seems to work right up to set #7, then the program errors out. It indicates a syntax error that I cannot find?
// I wonder if the error is version dependant? Error points to MySQL version for correct syntax to use near '= ?, that would be right after firstName.
PreparedStatement pstmt = conn.prepareStatement(updateQuery); //to protect against SQL injection attacks
pstmt.setString(1,firstName);
pstmt.setString(2,lastName);
pstmt.setDouble(3,gpa);
pstmt.setString(4,status);
pstmt.setString(5,mentor);
pstmt.setString(6,level);
pstmt.setString(7,thesisTitle);
pstmt.setString(8,thesisAdvisor);
pstmt.setString(9,company);
pstmt.setString(10,studentID);
int rowsInserted = stmt.executeUpdate(updateQuery);
System.out.print("Number of Rows inserted = " + rowsInserted);
// Close the statement and the connection
stmt.close();
conn.close();
答案 0 :(得分:3)
删除comma
company
+ " company = ?, "
^ here