我的方法目前从数据库中选择所有教师及其ID。在我的selectDBT变量中,我想定义这样的方式,以便
SELECT name, id from instructor where name like substring;
并且此substring应该是用户可以输入的一些'%sub%'子字符串。
private static void selectInstructor() throws SQLException {
Connection dataConnection = null;
Statement statement = null;
String selectDBT = "SELECT name, id from instructor";
try {
dataConnection = getConnection();
statement = dataConnection.createStatement();
System.out.println(selectDBT);
ResultSet result_set = statement.executeQuery(selectDBT);
while (result_set.next()) {
String ins_name = result_set.getString("name");
String ins_id = result_set.getString("id");
System.out.println("Instructor Name : " + ins_name);
System.out.println("Instructor ID : " + ins_id);
}
} catch (SQLException e) {
System.out.println(e.getMessage());
} finally {
if (statement != null) {
statement.close();
}
if (dataConnection != null) {
dataConnection.close();
}
}
}
到目前为止,我能够让用户使用java swing接口将用户ID和密码输入数据库。现在我想创建另一个用户可以输入substring的接口,它应该引用一些%sub%字符串模式匹配,我的输出将是与子字符串匹配的名称和id。现在我',得到所有的名字和id,因为我不让用户输入子串匹配。因为我希望用户动态选择硬编码也不行。
编辑:使用预准备声明:
private static void selectInstructor() throws SQLException {
Connection dataConnection = null;
Statement statement = null;
// String selectDBT = "SELECT name, id from instructor";
try {
dataConnection = getConnection();
PreparedStatement preparedStatement =
dataConnection.prepareStatement("SELECT name, id from instructor where name like ?");
preparedStatement.setString(1, substring);
// statement = dataConnection.createStatement();
System.out.println(preparedStatement);
ResultSet result_set = statement.executeQuery(preparedStatement);
while (result_set.next()) {
String ins_name = result_set.getString("name");
String ins_id = result_set.getString("id");
System.out.println("Instructor Name : " + ins_name);
System.out.println("Instructor ID : " + ins_id);
}
} catch (SQLException e) {
System.out.println(e.getMessage());
} finally {
if (statement != null) {
statement.close();
}
if (dataConnection != null) {
dataConnection.close();
}
}
}
然而,我得到了相同的输出。请注意我在SQL.I treid中非常新用来使用来自答案建议的准备语句。
答案 0 :(得分:0)
有一个运算符like,您可以这样使用它:
String selectDBT = "SELECT name, id from instructor like '" + sub + "'";
//...
但是这可以提供错误语法和精简SQL注入,有一些智能用户,所以我建议改为使用PrepapredStatement:
PreparedStatement preparedStatement =
connection.prepareStatement("SELECT name, id from instructor where name like ?");
preparedStatement.setString(1, substring);
这可以更加安全,更安全。
修改
您可以像这样完成您的计划:
PreparedStatement preparedStatement =
connection.prepareStatement("SELECT name, id from instructor where name like ?");
preparedStatement.setString(1, substring);
//get result from your prepapredStatement
ResultSet result_set = preparedStatement.executeQuery();
while (result_set.next()) {
String ins_name = result_set.getString("name");
String ins_id = result_set.getString("id");
System.out.println("Instructor Name : " + ins_name);
System.out.println("Instructor ID : " + ins_id);
}
答案 1 :(得分:0)
您可以在数据库中编写一个简单的过程;
CREATE OR REPLACE PROCEDURE get_instructor_cursor
(p_search_string IN VARCHAR2,
p_cursor_var OUT SYS_REFCURSOR) AS
BEGIN
OPEN p_cursor_var FOR
SELECT name,
id
FROM instructor
WHERE name like '%'||p_search_string||'%';
END Get_instructor_cursor;
传入search_string并简单地浏览返回的结果光标以显示结果。具有以下优势:您可以从任何地方轻松地重复使用该搜索。