INSERT语句的未知SQL问题

时间:2013-03-31 16:17:32

标签: java sql

基本上我正在尝试使用getSelectRow的值更新Database表。如您所见,查询找到了正确的数据,但在实际尝试将其添加到数据库时却存在很大问题 错误是在SQL语法中,但我不知道我哪里出错了。请帮助。

这是它执行的查询,但我不知道它为什么不更新表。

INSERT INTO customerdetails 
      FName        = 'Tim'
  AND SName        = 'Cooley'
  AND Address      = '52     Buckminster Drive Dorridge Solihull West Mids'
  AND Postcode     = 'B93 8PG'

Java代码:

private void sendBtnMouseClicked(java.awt.event.MouseEvent evt) {                                     
    // TODO add your handling code here:

    int insertRow = newOrderTbl.getSelectedRow();
    int col2 = 0;

    String sql3 = "INSERT INTO customerdetails VALUES "
            + "FName            = '" + newOrderTbl.getValueAt(insertRow, col2)     +"'"
            + "AND SName        = '" + newOrderTbl.getValueAt(insertRow, col2+1)   +"'"
            + "AND Address      = '" + newOrderTbl.getValueAt(insertRow, col2+2)   +"'"
            + "AND Postcode     = '" + newOrderTbl.getValueAt(insertRow, col2+3)   +"'";
    System.out.println(sql3); 
    try{

        pst = conn.prepareStatement(sql3);
        pst.executeUpdate(sql3);
        JOptionPane.showMessageDialog(null, "Deleted");   


        CustomerTable();

    }
    catch (Exception e){
        JOptionPane.showMessageDialog(null, e);
    }


}   

3 个答案:

答案 0 :(得分:3)

首先,您的SQL语法是错误的(至少它是您的数据库引擎的非标准SQL语法)。其次,您的代码容易受到SQL注入攻击。

为了解决这两个问题,你应该使用PreparedStatement(你以错误的方式做事)。代码中的基本示例:

String sql = "INSERT INTO customerdetails (FName, SName, Address, Postcode) VALUES (?, ?, ?,?)";
PreparedStatement pst = conn.prepareStatemtnt(sql);
pst.setString(1, newOrderTbl.getValueAt(insertRow, col2));
pst.setString(2, newOrderTbl.getValueAt(insertRow, col2+1));
pst.setString(3, newOrderTbl.getValueAt(insertRow, col2+2));
pst.setString(4, newOrderTbl.getValueAt(insertRow, col2+3));
pst.executeUpdate();
//rest of code...

假设您的SQL语法有效,那么您应该将值作为参数传递,类似于前面的示例:

String sql3 = "INSERT INTO customerdetails VALUES "
        + "FName            = ?"
        + "AND SName        = ?"
        + "AND Address      = ?"
        + "AND Postcode     = ?"
pst = conn.prepareStatement(sql3);
pst.setString(1, newOrderTbl.getValueAt(insertRow, col2));
pst.setString(2, newOrderTbl.getValueAt(insertRow, col2+1));
pst.setString(3, newOrderTbl.getValueAt(insertRow, col2+2));
pst.setString(4, newOrderTbl.getValueAt(insertRow, col2+3));
pst.executeUpdate();
//rest of code...

答案 1 :(得分:0)

对于更新语句,它将是 -

String sql3 = "INSERT INTO customerdetails(FName,SName,Address,Postcode) VALUES "
            + " '" + newOrderTbl.getValueAt(insertRow, col2)     +"',"
            + " '" + newOrderTbl.getValueAt(insertRow, col2+1)   +"',"
            + " '" + newOrderTbl.getValueAt(insertRow, col2+2)   +"',"
            + " '" + newOrderTbl.getValueAt(insertRow, col2+3) + "')";

此外,你应该使用PreparedStatement。

由于

答案 2 :(得分:0)

请将其更改为

String sql3 = "INSERT INTO customerdetails(FName,SName,Address,Postcode) VALUES ("
            + "'" + newOrderTbl.getValueAt(insertRow, col2)     +"'"
            + "'" + newOrderTbl.getValueAt(insertRow, col2+1)   +"'"
            + "'" + newOrderTbl.getValueAt(insertRow, col2+2)   +"'"
            + "'" + newOrderTbl.getValueAt(insertRow, col2+3)   +"')";

代码中生成的insert语句似乎无效。有关详细信息,请参阅SQL Insert Statement

此外,更好的方法是创建一个专用的Serverside DAO类来处理数据库操作。