在SQL语句结束时缺少分号(;)

时间:2013-08-04 11:10:25

标签: java sql sql-server sqlexception

我试图通过将表中的值与我从ID号中捕获的有关用户的变量进行比较,从数据库中的另一个表中将值插入到表中。

我收到以下错误:

java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] Missing semicolon (;) at end of SQL statement.

以下是我用来尝试上述代码的代码:

    Statement stmt1 = con.createStatement();

    String mySqlStatement1 = "INSERT INTO Entrant_Group VALUES (Group_Description) WHERE Group_MinAge <= " + details.getAge() + "AND Group_MaxAge >= " + details.getAge() + "AND Group_Gender = 'details.getGender()'";
    stmt1.executeUpdate(mySqlStatement1);

1 个答案:

答案 0 :(得分:3)

暂时搁置关于SQL注入攻击的标准警告,你的陈述的问题是你错误地引用你的引号并且在AND s之前没有空格:

String mySqlStatement1 = "INSERT INTO Entrant_Group VALUES (Group_Description) WHERE Group_MinAge <= "
 +   details.getAge()
 +   " AND Group_MaxAge >= " // Add space
 +   details.getAge()
 +   " AND Group_Gender = '" // Add space
 +   details.getGender()     // This part was enclosed in double-quotes
 +   "';";                   // Add semicolon at the end

为防止注入攻击,您应该参数化查询,并将值绑定到预准备语句的参数:

String mySqlStatement1 = "INSERT INTO Entrant_Group VALUES (Group_Description) WHERE Group_MinAge <= ? AND Group_MaxAge >= ? AND Group_Gender = ?;";