我不知道是否可能,但这是我的问题:
我根据输入
得到13个输入字段 Ex:String firstname=request.getParameter("firstname"); ......
我必须准备sql where子句,如if(firstname!= null){where firstname ='test'和..}
对这种情况提出任何建议。
此致
拉吉
答案 0 :(得分:2)
如果我理解正确,您希望动态生成查询,具体取决于输入字段的值。有一些框架有助于实现这一目标,例如MyBatis。但是你可以用准备好的语句推出自己的解决方案:
String query = "select * from foo f";
List<String> clauses = new ArrayList<String>();
List<Object> parameters = new ArrayList<Object>();
if (firstName != null) {
clauses.add("f.name = ?");
parameters.add(firstName);
}
// ...
if (!clauses.isEmpty()) {
query += " where " + StringUtils.join(clauses, " and ");
}
PreparedStatement ps = connection.prepareStatement(query);
for (int i = 0; i < parameters.size(); i++) {
ps.setObject(i + 1, paremeters.get(i));
}
你可以通过支持SQL类型,使用构建器模式等来使它变得更好,但是你应该通过这个简单的例子来理解它。
答案 1 :(得分:1)
我假设您正在使用与数据库的JDBC连接。您应该使用prepared statements,否则您会对SQL injection攻击持开放态度。
第二个问题是如何防止涉及用户未提供的字段的WHERE子句。有许多(2 ^ 13 == 8192)组合,因此对每个可能的用户输入使用不同的语句是不实际的。可以在您的情况下动态构建预准备语句:
String statement = "SELECT * FROM " + dbName + "." + tableName;
String condition = " WHERE";
List<String> params = new ArrayList<String>();
if ( firstname != null ){
statement += condition + " firstname = ?";
condition = " AND";
params.add(firstname);
}
if ( familyname != null ){
statement += condition + " familyname = ?";
condition = " AND";
params.add(familyname);
}
connection.prepareStatement(updateString);
然后,在执行预准备语句时,您需要添加params的内容。
答案 2 :(得分:0)
您需要使用Java动态构建查询,或使用存储过程,如果该字段为null,则不会对该字段进行过滤。
答案 3 :(得分:0)
我对此也很好奇所以我创造了一个新的答案。这就是我提出的。它可以进行优化,但这可以使用Builder模式执行您想要的操作。你可以从我的测试中看到我传入一个null,它从where字符串中省略。
public class WhereBuilder {
private final String requestParm1;
private final String requestParm2;
private final String requestParm3;
private final String requestParm4;
private final String requestParm5;
private StringBuilder whereString = new StringBuilder();
public static class Builder {
private String requestParm1 = null;
private String requestParm2 = null;
private String requestParm3 = null;
private String requestParm4 = null;
private String requestParm5 = null;
private StringBuilder whereString = new StringBuilder("WHERE ");
public Builder() {}
public Builder requestParm1(String value) {
if (value != null) {
requestParm1 = value;
whereString.append(" requestParm1 = '" + requestParm1 + "' AND");
}
return this;
}
public Builder requestParm2(String value) {
if (value != null) {
requestParm2 = value;
whereString.append(" requestParm2 = '" + requestParm2 + "' AND");
}
return this;
}
public Builder requestParm3(String value) {
if (value != null) {
requestParm3 = value;
whereString.append(" requestParm3 = '" + requestParm3 + "' AND");
}
return this;
}
public Builder requestParm4(String value) {
if (value != null) {
requestParm4 = value;
whereString.append(" requestParm4 = '" + requestParm4 + "' AND");
}
return this;
}
public Builder requestParm5(String value) {
if (value != null) {
requestParm5 = value;
whereString.append(" requestParm5 = '" + requestParm5 + "' AND");
}
return this;
}
public WhereBuilder build() {
return new WhereBuilder(this);
}
}
private WhereBuilder(Builder builder) {
requestParm1 = builder.requestParm1;
requestParm2 = builder.requestParm2;
requestParm3 = builder.requestParm3;
requestParm4 = builder.requestParm4;
requestParm5 = builder.requestParm5;
whereString = builder.whereString;
}
public String getWhereString() {
whereString.delete(whereString.length()-3, whereString.length());
return whereString.toString();
}
public static void main(String[] args) {
WhereBuilder wb = new WhereBuilder.Builder().requestParm1("hello").requestParm2("how")
.requestParm3("are").requestParm4(null).requestParm5("you").build();
String whereString = wb.getWhereString();
System.out.println(whereString);
}
}
主要方法的输出是
WHERE requestParm1 = 'hello' AND requestParm2 = 'how' AND requestParm3 = 'are' AND requestParm5 = 'you'