如何使用准备好的声明

时间:2011-04-08 06:26:22

标签: java sql prepared-statement

有人建议使用预备声明,但我不知道如何使用它。我的代码需要做哪些更改?

try
{
    Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
    System.out.println("\n Driver loaded");

    Connection con = DriverManager.getConnection("jdbc:odbc:wanisamajDB");

    Statement stmt = con.createStatement();
    System.out.println("statement is created");

    // System.out.println(Integer.parseInt(cbregn.getSelectedItem().toString()));

    String qry = " UPDATE Registration1 SET RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;

          stmt.executeUpdate(qry);

          JOptionPane.showMessageDialog(null,"RECORD IS UPDATED SUCCESSFULLY ");
          System.out.println("QUERY");       

          // cbregn.setEditable(false);
          cbnm.setEditable(false);
          tfplace.setEditable(false);
          tfkul.setEditable(false);
          tfgotra.setEditable(false);
          tfswami.setEditable(false);
          taraddr.setEditable(false);
          tfpcd.setEditable(false);
          tfstdcode.setEditable(false);
          tftele.setEditable(false);
          tfmno.setEditable(false);
          tfemail.setEditable(false);
          tfweb.setEditable(false);
          tfedu.setEditable(false);
          tfbrch.setEditable(false);
          cbbldgrp.setEditable(false);
          con.close();
          stmt.close();
        }
//            catch(SQLException eM)
//            {
//            JOptionPane.showMessageDialog(null,"RECORD IS NOT FOUND ");
//            }
        catch(Exception et)
        {
             et.printStackTrace();
          //  System.out.println("error:"+et.getMessage());
        }  

6 个答案:

答案 0 :(得分:3)

请参阅example

预备语句可以通过将SQL逻辑与提供的数据分开来帮助提高安全性。逻辑和数据的这种分离有助于防止称为SQL注入攻击的非常常见的漏洞类型。通常,在处理即席查询时,在处理从用户收到的数据时需要非常小心。这需要使用能够逃避所有必要的故障字符的函数,例如单引号,双引号和反斜杠字符。在处理预准备语句时,这是不必要的。数据的分离允许MySQL自动考虑这些字符,并且不需要使用任何特殊功能进行转义。

答案 1 :(得分:2)

在您的代码中而不是:

String qry= " UPDATE Registration1 set RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;
stmt.executeUpdate(qry);

试试这个:

String qry= " UPDATE Registration1 set RegistrationNo = ?,SeniorPerson = ?, NativePlace = ?,Kul = ?, Gotra = ?,KulSwami = ?, ResidensialAddress = ?, PinCode = ?, STDcode = ?,TelephoneNo = ?, MobileNo = ?, Email = ?,Website =?,Education =?,Branch =?,BloodGroup =? where SeniorPerson=?" ;

PreparedStatement updateQry = con.prepareStatement(qry);
updateQry.setString(1,cbregn.getSelectedItem());
updateQry.setString(2,cbnm.getSelectedItem());
updateQry.setString(3,tfplace.getText());
updateQry.setString(4,tfkul.getText());
updateQry.setString(5,tfgotra.getText());
updateQry.setString(6,tfswami.getText());
updateQry.setString(7,taraddr.getText());
updateQry.setString(8,tfpcd.getText());
updateQry.setString(9,tfstdcode.getText());
updateQry.setString(10,tftele.getText());
updateQry.setString(11,tfmno.getText());
updateQry.setString(12,tfemail.getText());
updateQry.setString(13,tfweb.getText());
updateQry.setString(14,tfedu.getText());
updateQry.setString(15,tfbrch.getText());
updateQry.setString(16,cbbldgrp.getSelectedItem());
updateQry.setString(17,cbnm.getSelectedItem().toString());
updateQry.executeUpdate():

答案 2 :(得分:1)

    public class UpdatesRecords{
     public static void main(String[] args) {
    System.out.println("Updates Records Example through Prepared Statement!");
    Connection con = null;
    try{
      Class.forName("com.mysql.jdbc.Driver");
      con = DriverManager.getConnection(
     "jdbc:mysql://localhost:3306/jdbctutorial","root","root");
      try{
        String sql = "UPDATE movies SET title = ? WHERE year_made = ?";
        PreparedStatement prest = con.prepareStatement(sql);
        prest.setString(1,"Sanam We wafafa");
        prest.setInt(2,2005);
        prest.executeUpdate();
        System.out.println("Updating Successfully!");
        con.close();
      }
      catch (SQLException s){
        System.out.println("SQL statement is not executed!");
      }
    }
     catch (Exception e){
      e.printStackTrace();
    }
   }
}

请使用上面的代码作为参考并更改您的代码

答案 3 :(得分:0)

你可以在这里找到一个很好的参考:

PreparedStatement Reference

答案 4 :(得分:0)

答案 5 :(得分:0)

This是使用PreparedStatement的最简单的例子之一,我希望它可以帮助你。