我将字符串数组传递给PreparedStatement。我使用的是mysql,jsp和存储过程,但它不是从数据库中获取数据:
String searchbycategory[] = request.getParameterValues("category");
StringBuilder sb= new StringBuilder();
String filter = "";
for(int i = 0; i < searchbycategory.length; i++) {
sb.append( "'"+searchbycategory[i]+"'," );
}
filter = sb.toString();
filter = filter.substring(0, filter.length()-1);
PreparedStatement pstmt = con.prepareStatement("{call some(?)}");
pstmt.setString(1, filter);
ResultSet resultset = pstmt.executeQuery();
答案 0 :(得分:0)
如果 searchbycategory 的长度为1,则您的程序应按预期工作。 问题是你将输入字符串加入一个。
如果要在程序中阻止SQL注入, 每个 searchbycategory 都应映射到PrepareStatement中的一个参数。例如:
String searchbycategory[] = request.getParameterValues("category");
StringBuilder sb = new StringBuilder().append("select col_name from table_name where category in (");
for (int i = 0; i < searchbycategory.length; i++) {
sb.append("?,");
}
sb.setCharAt(sb.length()-1,')');
PreparedStatement pstmt = con.prepareStatement(sb.toString());
for (int i = 0; i < searchbycategory.length; i++) {
pstmt.setString(i+1, searchbycategory[i]);
}
ResultSet resultset = pstmt.executeQuery();