使用JdbcTemplate For Dynamic WHERE时转义单引号

时间:2013-04-20 21:50:48

标签: spring-mvc jdbctemplate spring-jdbc

我正在使用JdbcTemplate来查询数据库,但我正在构建一个动态WHERE子句,我想要转义引号。 Under是我的字符串外观的一个示例:

有些时候它们不会是任何where子句,因为用户可能想要返回所有记录。所以在这里使用预备声明可能不可行。

的JdbcTemplate

String sql = "select crime.*, "+
                     "criminalSocialSecurityNumber,criminal.fName as criminalFName,criminal.lName as criminalLName,"+
                     "criminal.photo as criminalPhoto,criminal.dob as criminalDob,victimSocialSecurityNumber,"+
                     "victim.fName as victimFName,victim.lName as victimLName,victim.photo as victimPhoto, victim.dob as victimDob "+ 
                     "from tblcrimes crime "+
                     "left join tblcriminalcrime on crime.crimeRecNo = tblcriminalcrime.crimeRecNo "+
                     "left join tblvictimcrime on crime.crimeRecNo = tblvictimcrime.crimeRecNo "+
                     "inner join tblcitizens criminal on criminal.socialSecurityNumber = tblcriminalcrime.criminalSocialSecurityNumber "+
                     "inner join tblcitizens victim on victim.socialSecurityNumber = tblvictimcrime.victimSocialSecurityNumber " + where_clause;

1 个答案:

答案 0 :(得分:2)

使用预准备语句是完全可能的,也是你应该做的。

使用占位符(?)为每个参数动态构建查询,每次添加占位符时,还要将参数值添加到参数列表中。最后,您有一个参数化的SQL查询,以及一个要绑定到预准备语句的参数值列表。

这样的东西
List<Object> args = new ArrayList<Object>();
StringBuilder whereClause = new StringBuilder();
if (criteria.getFoo() != null) {
    whereClause.append(" and foo = ?");
    args.add(criteria.getFoo());
}
if (criteria.getBar() != null) {
    whereClause.append(" and bar = ?");
    args.add(criteria.getBar());
}
// ...

PreparedStatement stmt = connection.prepareStatement(query + whereClause);
int i = 1;
for (Object arg : args) {
    stmt.setObject(i, arg);
    i++;
}