我想在我的数据库中插入一个SQL查询字符串,但由于单引号var StripeComponent = React.createClass({
getInitialState: function () {
return {
card: {
number: '',
cvc: '',
exp_month: '',
exp_year: ''
}
}
},
componentDidMount: function () {
Stripe.setPublishableKey(); // set your test public key
},
handleSubmit: function (e) {
e.preventDefault();
Stripe.createToken(this.state.card, function (status, response) {
console.log( status, response );
});
},
handleChange: function (e) {
let card = this.state.card;
card[e.target.name] = e.target.value
this.setState(card);
},
render: function() {
return <form onSubmit={ this.handleSubmit }>
<input size="20" name="number" onChange={this.handleChange} />
<input size="4" name="cvc" onChange={this.handleChange} />
<input size="2" name="exp_month" onChange={this.handleChange} />
<input size="4" name="exp_year" onChange={this.handleChange} />
<button type="submit">Pay</button>
</form>
}
});
,我总是收到错误。我不能将它们加倍'',因为那样我就无法执行存储在SQL数据库中的SQL查询。这是一个例子:
''''我的问题是:如何在不更改字符串的情况下将此查询插入到我的SQL数据库中?
插入后我想用程序读取它,然后根据我数据库中的String执行查询。
以下是错误消息:
"INSERT INTO selections(selection_name, selection_sql, selection_besitzer, selection_sichtbarkeit, selection_standardSelektion)"
+ "VALUES ('"
+ "TestName"+"', '"
+ "Select * From customer where customer_adressnummer like '%1%';"+"', '"
+ "Select all from customer where X"+"', '"
+ "private"+"', '"
+ "0"+"')");
答案 0 :(得分:0)
毫不奇怪,当尝试使用动态SQL将SQL字符串插入SQL数据库时,遇到SQL注入问题的可能性相当高。保存自己的悲痛,只需使用参数化查询,如下所示:
PreparedStatement ps = conn.prepareStatement(
"INSERT INTO selections (selection_name, selection_sql, selection_besitzer, selection_sichtbarkeit, selection_standardSelektion) " +
"VALUES (?,?,?,?,?)");
ps.setString(1, "TestName");
ps.setString(2, "Select * From customer where customer_adressnummer like '%1%';");
ps.setString(3, "Select all from customer where X");
ps.setString(4, "private");
ps.setString(5, "0");
ps.executeUpdate();