public void getExp(String bool_expression,int groupId,int expLevel){
List<String> list=new ArrayList<String>();
List<String> nextExpressionList = new ArrayList<String>();
try{
ResultSet resultSet=null;
String sqlString = null;
Statement stmt = null;
if(expLevel==1){
System.out.println("explevel---"+expLevel+"group Id --"+groupId);
sqlString ="select bool_expression from LNP_ENG_EXPRESSIONS where fk_group="+groupId+" and expression_level="+expLevel+"";
stmt =connection.createStatement();
resultSet= stmt.executeQuery(sqlString);
while(resultSet.next()){
nextExpressionList.add(resultSet.getString(1));
System.out.println("expression -- "+ resultSet.getString(1));
}
}
if(expLevel > 1 ){
System.out.println("bool_ expression --"+bool_expression);
String sql = "select distinct variable_name from LNP_ENG_VARIABLES where id IN "+
"(select fk_variable_id from LNP_ENG_QUESTIONS where question_code IN "+
"( select Question_code from LNP_APP_QUESTIONS where id IN "+
"(select fk_question_id from LNP_ENG_ASC_QUESTION_EXP where FK_EXP_ID IN"+
"(select id from LNP_ENG_EXPRESSIONS where bool_expression = '"+bool_expression+"'"+"and fk_group="+groupId+" and expression_level="+(expLevel-1)+"))))";
System.out.println("1");
stmt =connection.createStatement();
resultSet=stmt.executeQuery(sql);
while(resultSet.next()){
list.add(resultSet.getString(1));
System.out.println("list --"+resultSet.getString(1));
}
for(int i=0;1<list.size();i++){
sqlString = "select distinct bool_expression from LNP_ENG_EXPRESSIONS where "+
"bool_expression like '%"+list.get(i)+"%' and expression_level="+expLevel+" and fk_group="+groupId+"";
resultSet = stmt.executeQuery(sqlString);
while(resultSet.next()){
nextExpressionList.add(resultSet.getString(1));
System.out.println("expression -- "+ nextExpressionList.get(i));
}
}
}
}
catch (Exception e) {
// TODO: handle exception
}
}
public static void main(String args[]){
ExpressionBuilder builder=new ExpressionBuilder();
builder.getExp("Industry='NO'", 1, 2);
}
在i中获取错误将bool_expression作为Industry='NO'传递给sql查询。
该错误是因为单引号''。但我无法解决它。
答案 0 :(得分:1)
这很容易 - 使用PreparedStatement让它为你正确地逃脱Strings。
虽然它没有解释你的问题,但我不太喜欢你的代码。它变得太大了。我将通过使用三种方法创建一个单独的DAO接口来重构,每个方法对应一个正在执行的查询。我将在DAO实现类中查询字符串静态最终常量。我会单独测试一下。当它完美地工作时,我会给检查体验级别的对象提供对DAO的引用,并让它调用它的方法而不是将所有数据库逻辑嵌入到一个类中。
它被称为“分解”。随着问题的扩大,它会帮助您解决问题。
这样的事情:
package persistance;
public interface FooDao
{
List<Foo> find(String name);
}
public class FooDaoImpl implements FooDao
{
public static final String FIND_BY_NAME_SQL = "SELECT * FROM Foo WHERE name = ?";
private DataSource dataSource;
public Foo(DataSource dataSource)
{
this.dataSource = dataSource;
}
public List<Foo> find(String name)
{
List<Foo> result = new ArrayList<Foo>();
PreparedStatement ps = null;
ResultSet rs = null;
try
{
ps = this.dataSource.getConnection().prepareStatement(FIND_BY_NAME_SQL);
ps.setString(1, name);
rs = ps.executeQuery();
while (rs.hasNext())
{
// Map row into Foo and add it to the List
result.add(foo);
}
}
catch (SQLException e)
{
throw new RuntimeException(e);
}
finally
{
close(rs);
close(ps);
}
}
}
答案 1 :(得分:0)
另一篇文章对此进行了介绍,但我想强调“单引号问题”几乎是“ open to SQL injection ”的同义词