我正在尝试使用java程序将值从一个服务器插入另一个服务器。这是我的代码: -
public static void main(String[] args) throws FileNotFoundException {
// TODO code application logic here
try {
Class.forName("oracle.jdbc.OracleDriver");
} catch (Exception exception) {
}
Connection conn = null;
Connection conn1 = null;
ResultSet rs, rs1 = null;
Statement pst = null;
try {
// dbConnect.executequery(sdate, edate);
conn = DriverManager.getConnection("jdbc:oracle:thin:@31.4.224.76:1521:RPTPSG", "pihist", "pihist");
String query = "select * from messagemasterhistory where ROWNUM<=1572660";
// String query="select * from messagemasterhistory where createdate>='28-JAN-11' and createdate<='18-FEB-2011'";
pst = conn.createStatement(java.sql.ResultSet.TYPE_FORWARD_ONLY, java.sql.ResultSet.CONCUR_READ_ONLY);
// String sql="insert into test(SRN ,UTR) values (";
// pst=conn.prepareStatement(sql);
// rs.absolute(2000);
// pst.setFetchSize(2000);
// pst.setMaxRows(1500000);
pst.setFetchDirection(ResultSet.FETCH_FORWARD);
rs = pst.executeQuery(query);
// String statment="insert into test(UTR,SRN) values('abc','1')";
// PrintWriter wt=new PrintWriter("ritima2.txt");
conn1 = DriverManager.getConnection("jdbc:oracle:thin:@31.4.224.81:1521:RPTPSG", "rptr", "rptr");
Statement stat1 = conn1.createStatement();
while (rs.next()) {
String str = rs.getString("FIELDDATA");
String str1 = rs.getString("FIELDINFO");
String statment = "insert into MESSAGEMASTERHISTORY2(UTR,CREATEDATE,SENDER,RECEIVER,SUBMESSAGETYPE,FIELDINFO,FIELDDATA,DUPLICATE) values(" + "'" + rs.getString("UTR") + "'" + "," + "TO_DATE('" + rs.getDate("CREATEDATE") + "'" + ",'YYYY-MM-DD\" \"HH24:MI:SS')" + "," + "'" + rs.getString("SENDER") + "'" + "," + "'" + rs.getString("RECEIVER") + "'" + "," + "'" + rs.getString("SUBMESSAGETYPE") + "'" + "," + "'" + str1 + "'" + "," + "'" + str + "'" + "," + rs.getInt("DUPLICATE") + ")";
// String statment="insert into test1 (fielddata,utr) values("+"'"+(rs.getString("fielddata"))+"'"+","+"'"+rs.getString("UTR")+"')";
System.out.println(count);
stat1.executeQuery(statment);
System.out.println(str);
System.out.println(str1);
// System.out.println(rs.getClob("FIELDDATA"));
System.gc();
count++;
}
conn1.commit();
conn1.close();
// wt.close();
System.out.println("Completed");
conn.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
插入几行(6274)后出现错误“java.sql.SQLException:ORA-00917:缺少逗号
at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:113)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:754)
at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:210)
at oracle.jdbc.driver.T4CStatement.executeForRows(T4CStatement.java:963)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1192)
at oracle.jdbc.driver.OracleStatement.executeQuery(OracleStatement.java:1315)
at javaapplication2.Main.main(Main.java:73)
答案 0 :(得分:3)
这不是一种在数据库中插入数据的非常安全的方法。 它易受SQL注入攻击。这可能是正在发生的事情。
您的插入数据中可能有',这很快就会结束查询。
您应该查看这篇文章,它将向您展示如何使用预准备语句或其他方法来保护您的查询。
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
如果你很好奇,你也可以看看Hibernate。通过一些配置,它可以安全地保存您的实体,而无需自己编写冗长的查询
http://docs.jboss.org/hibernate/orm/4.2/quickstart/en-US/html/
答案 1 :(得分:3)
您从源数据库复制的其中一个字符串可能包含非法的SQL代码序列。
您应该考虑使用带参数的PreparedStatement,而不是使用字符串连接来构造SQL。 PreparedStatement应该是预编译的,你不必担心转义你的字符串。
类似的东西:
String statment = "insert into MESSAGEMASTERHISTORY2(UTR,CREATEDATE,SENDER,RECEIVER,SUBMESSAGETYPE,FIELDINFO,FIELDDATA,DUPLICATE) values(?,?,?,?,?,?,?,?)";
PreparedStatement ps = conn1.prepareStstement(statement)
while (rs.next()) {
ps.setString(1, rs.getString("UTR"));
ps.setDate(2, rs.getDate("CREATEDATE"));
// etc etc
ps.executeUpdate();
conn1.commit(); //maybe you want this outside the loop
}
请参阅http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html