如何使用jdbc在mysql中插入撇号数据

时间:2013-10-24 14:41:26

标签: java mysql jdbc insert apostrophe

我正在尝试为产品插入一些细节,包括ID,标题,类别等......

现在在标题栏中,我的数据如下:“Voi Jeans Banana Fit男士长裤”,但在插入时我得到以下错误:

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your     SQL syntax; check the manual that corresponds to your MySQL server version for the right   syntax to use near 's Trousers' ,'http://www.flipkart.com/voi-jeans-banana-fit-men-s- trousers/p/itmd' at line 1
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
at com.mysql.jdbc.Util.getInstance(Util.java:386)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1052)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3597)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3529)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1990)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2151)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2619)
at com.mysql.jdbc.StatementImpl.executeUpdate(StatementImpl.java:1709)
at com.mysql.jdbc.StatementImpl.executeUpdate(StatementImpl.java:1628)
at     universe.shopping.controller.shoppingcontrol.processrequest(shoppingcontrol.java:388)
at universe.shopping.controller.shoppingcontrol.doGet(shoppingcontrol.java:88)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

据我所知,基本上sql将此数据解释为“Voi Jeans Banana Fit Men”而不是“Voi Jeans Banana Fit男士裤子”,不包括“裤子”部分导致错误。

我真的需要知道如何插入包含撇号的完整标题。什么是最好的方式?

我正在进行插入的jdbc代码是:

String pid=request.getParameter("id");  // values from my jsp form 
String pname=request.getParameter("name");
String plink=request.getParameter("link");
String pkeyword1=request.getParameter("keyword1");
String pcategory=request.getParameter("catval");
String psubcategory=request.getParameter("cval");
String psubsubcategory=request.getParameter("subcval");
String pimage=request.getParameter("image");
String psecondimage=request.getParameter("secondimage");
String pthirdimage=request.getParameter("thirdimage");
String pcontent=request.getParameter("content");
String pprice=request.getParameter("price");
String pshipping=request.getParameter("shipping");
String pquantity=request.getParameter("quant");

java.sql.Connection connection = null;
CallableStatement stmt=null;
try {  
    Class.forName("com.mysql.jdbc.Driver");  
} catch (ClassNotFoundException e) {  
    System.out.println("Where is your MySQL JDBC   Driver?");  
    e.printStackTrace();  
    return;  
}  

System.out.println("MySQL JDBC Driver Registered!");  
Connection con = null;  
try {  
    con = DriverManager.getConnection("jdbc:mysql://localhost:3306/grandsho_register", "root","123456");  
} catch (SQLException e) {  
    System.out.println("Connection Failed! Check output console");  
    e.printStackTrace();  
    return;  
}  
if (con != null) {  
    System.out.println("Connection made.....");  
    try{  
        System.out.println("creating statements...");  
        String sql="{call adminproduct('"+pid+"','"+pname+"'   ,'"+plink+"' ,'"+pkeyword1+"','"+pprice+"','"+pshipping+"','"+pquantity+"','"+pcategory+"','"+psubcategory+"','"+psubsubcategory+"','"+pimage+"','"+psecondimage+"','"+pthirdimage+"','"+pcontent+"')}";
        stmt=con.prepareCall(sql);
        stmt.executeUpdate(sql);   
        System.out.println("Inserted records into the table...");  

        stmt.close();  
        con.close();  
    }catch(SQLException se){  
        se.printStackTrace();  
    }
}else {  
    System.out.println("Failed to make connection!");  
}  

请建议我从jdbc插入此数据的适当解决方案。

2 个答案:

答案 0 :(得分:2)

而不是这样做:

 String sql="{call adminproduct('"+pid+"','"+pname+"'   ,'"+plink+"' ,'"+pkeyword1+"','"+pprice+"','"+pshipping+"','"+pquantity+"','"+pcategory+"','"+psubcategory+"','"+psubsubcategory+"','"+pimage+"','"+psecondimage+"','"+pthirdimage+"','"+pcontent+"')}";

你应该investigate PreparedStatements

基本上,您提供了一个SQL语句,其中包含占位符并声明每个占位符中的参数。这样可以使用数据库API,这样您就不必转义撇号等,可以保护您免受SQL injection的攻击。<​​/ p>

答案 1 :(得分:2)

您应该使用参数化SQL,而不是直接在调用本身中包含值。如下所示:

// The ... is because I didn't want to count the huge number of parameters...
// You'll need to fill in the right number of question marks.
String sql = "{call adminproduct(?, ?, ?, ?, ?, ...))}";
stmt = con.prepareCall(sql);
stmt.setString(1, pid);
stmt.setString(2, pname);
// Etc... all the parameters
stmt.executeUpdate(sql);   

从不直接在SQL中包含变量值,无论它们是调用存储过程还是vanilla SQL。使用参数化SQL有三个主要好处:

  • 它可以防范SQL injection attacks
  • 避免杂乱的转换(尤其是日期/时间字段)
  • 通过将SQL与值分开来保持代码更清晰。 (如果没有所有字符串连接,SQL 很多更容易阅读。)