我正在学习Java JDBC,并且正在使用循环将数据存储到数据库(mySQL db)中。 当我存储个人的名字和姓氏时,它似乎工作正常,但当我尝试插入电子邮件地址时,我得到以下错误:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:您的SQL语法中有错误;查看与您的MySQL服务器版本对应的手册,以便在“@ 123.com”附近使用正确的语法
据我所知,除非我遗漏了一些不可思议的东西,否则我无法看到我所犯的语法错误?
我的代码如下:
import java.sql.*;
import java.util.ArrayList;
import java.util.Arrays;
public class Driver {
public static void main(String[] args) {
try{
Connection myConn = DriverManager.getConnection("jdbc:mysql://localhost:8889/demo","root","root");
Statement myStmt = myConn.createStatement();
ArrayList<String> firstNames = new ArrayList<String>(Arrays.asList("James", "John","Mark"));
ArrayList<String> lastNames = new ArrayList<String>(Arrays.asList("Handly", "licks","manford"));
ArrayList<String> emails = new ArrayList<String>(Arrays.asList("james@123.com", "John@45.co.uk","Markus@marc.com"));
for (int i = 0; i < firstNames.size(); i++){
String sql = "INSERT INTO EMPLOYEES (first_name,last_name,email) VALUES (" + firstNames.get(i)+ ", " + lastNames.get(i) + ", " + emails.get(i) + ");";
myStmt.executeUpdate(sql);
}
ResultSet myRes = myStmt.executeQuery("select * from Employees");
while(myRes.next()){
System.out.println(myRes.getString("first_name")+", "+ myRes.getString("last_name"));
}
}catch(Exception e){
e.printStackTrace();
}
}
}
当我尝试一次插入一个数据时,例如
String sql = "INSERT INTO EMPLOYEES (first_name,last_name,email) VALUES ('John','test','test@test.com')";
myStmt.executeUpdate(sql);
这工作正常,所以我很困惑为什么没有正确传递数据。 谢谢!
修改 感谢来自@scaisEdge和@ A.A的反馈,虽然我正在寻找的修复工作确实有效,但使用字符串文字是一个 BAD 的想法,因为你打开了SQL注入。 反过来,我现在已经使用Prepared语句(@ A.A的答案)修改了我的代码,这些语句有效,并且问题少得多!
新代码如下:
import java.sql.*;
import java.util.ArrayList;
import java.util.Arrays;
public class Driver {
public static void main(String[] args) {
Connection myConn = null;
PreparedStatement myStmt = null;
ResultSet myRs = null;
try{
//1.get connection to db
myConn = DriverManager.getConnection("jdbc:mysql://localhost:8889/demo","root","root");
ArrayList<String> firstNames = new ArrayList<String>(Arrays.asList("James", "John","Mark"));
ArrayList<String> lastNames = new ArrayList<String>(Arrays.asList("Handly", "licks","manford"));
ArrayList<String> emails = new ArrayList<String>(Arrays.asList("james@123.com", "John@45.co.uk","Markus@marc.com"));
for (int i = 0; i < firstNames.size(); i++){
//Insert Query
myStmt = myConn.prepareStatement("INSERT INTO EMPLOYEES (first_name,last_name,email) VALUES (?,?,?)");
myStmt.setString(1,firstNames.get(i));
myStmt.setString(2,lastNames.get(i));
myStmt.setString(3,emails.get(i));
myStmt.execute();
}
ResultSet myRes = myStmt.executeQuery("select * from Employees");
while(myRes.next()){
System.out.println(myRes.getString("first_name")+", "+ myRes.getString("last_name"));
}
myConn.close();
}catch(Exception e) {
e.printStackTrace();
}
}
}
答案 0 :(得分:5)
我还建议使用预准备语句,它不仅更具可读性,而且还可以防止SQL注入攻击。更多信息here
示例:
preparedStatement = connection.prepareStatement("INSERT INTO EMPLOYEES (fname, lname, email) VALUES (?, ?, ?)");
preparedStatement.setString(1, person.getFName());
preparedStatement.setString(2, person.getLName());
preparedStatement.setString(2, person.getEmail());