有人建议使用预备声明,但我不知道如何使用它。我的代码需要做哪些更改?
try
{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
System.out.println("\n Driver loaded");
Connection con = DriverManager.getConnection("jdbc:odbc:wanisamajDB");
Statement stmt = con.createStatement();
System.out.println("statement is created");
// System.out.println(Integer.parseInt(cbregn.getSelectedItem().toString()));
String qry = " UPDATE Registration1 SET RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;
stmt.executeUpdate(qry);
JOptionPane.showMessageDialog(null,"RECORD IS UPDATED SUCCESSFULLY ");
System.out.println("QUERY");
// cbregn.setEditable(false);
cbnm.setEditable(false);
tfplace.setEditable(false);
tfkul.setEditable(false);
tfgotra.setEditable(false);
tfswami.setEditable(false);
taraddr.setEditable(false);
tfpcd.setEditable(false);
tfstdcode.setEditable(false);
tftele.setEditable(false);
tfmno.setEditable(false);
tfemail.setEditable(false);
tfweb.setEditable(false);
tfedu.setEditable(false);
tfbrch.setEditable(false);
cbbldgrp.setEditable(false);
con.close();
stmt.close();
}
// catch(SQLException eM)
// {
// JOptionPane.showMessageDialog(null,"RECORD IS NOT FOUND ");
// }
catch(Exception et)
{
et.printStackTrace();
// System.out.println("error:"+et.getMessage());
}
答案 0 :(得分:3)
请参阅example
预备语句可以通过将SQL逻辑与提供的数据分开来帮助提高安全性。逻辑和数据的这种分离有助于防止称为SQL注入攻击的非常常见的漏洞类型。通常,在处理即席查询时,在处理从用户收到的数据时需要非常小心。这需要使用能够逃避所有必要的故障字符的函数,例如单引号,双引号和反斜杠字符。在处理预准备语句时,这是不必要的。数据的分离允许MySQL自动考虑这些字符,并且不需要使用任何特殊功能进行转义。
答案 1 :(得分:2)
在您的代码中而不是:
String qry= " UPDATE Registration1 set RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;
stmt.executeUpdate(qry);
试试这个:
String qry= " UPDATE Registration1 set RegistrationNo = ?,SeniorPerson = ?, NativePlace = ?,Kul = ?, Gotra = ?,KulSwami = ?, ResidensialAddress = ?, PinCode = ?, STDcode = ?,TelephoneNo = ?, MobileNo = ?, Email = ?,Website =?,Education =?,Branch =?,BloodGroup =? where SeniorPerson=?" ;
PreparedStatement updateQry = con.prepareStatement(qry);
updateQry.setString(1,cbregn.getSelectedItem());
updateQry.setString(2,cbnm.getSelectedItem());
updateQry.setString(3,tfplace.getText());
updateQry.setString(4,tfkul.getText());
updateQry.setString(5,tfgotra.getText());
updateQry.setString(6,tfswami.getText());
updateQry.setString(7,taraddr.getText());
updateQry.setString(8,tfpcd.getText());
updateQry.setString(9,tfstdcode.getText());
updateQry.setString(10,tftele.getText());
updateQry.setString(11,tfmno.getText());
updateQry.setString(12,tfemail.getText());
updateQry.setString(13,tfweb.getText());
updateQry.setString(14,tfedu.getText());
updateQry.setString(15,tfbrch.getText());
updateQry.setString(16,cbbldgrp.getSelectedItem());
updateQry.setString(17,cbnm.getSelectedItem().toString());
updateQry.executeUpdate():
答案 2 :(得分:1)
public class UpdatesRecords{
public static void main(String[] args) {
System.out.println("Updates Records Example through Prepared Statement!");
Connection con = null;
try{
Class.forName("com.mysql.jdbc.Driver");
con = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/jdbctutorial","root","root");
try{
String sql = "UPDATE movies SET title = ? WHERE year_made = ?";
PreparedStatement prest = con.prepareStatement(sql);
prest.setString(1,"Sanam We wafafa");
prest.setInt(2,2005);
prest.executeUpdate();
System.out.println("Updating Successfully!");
con.close();
}
catch (SQLException s){
System.out.println("SQL statement is not executed!");
}
}
catch (Exception e){
e.printStackTrace();
}
}
}
请使用上面的代码作为参考并更改您的代码
答案 3 :(得分:0)
你可以在这里找到一个很好的参考:
答案 4 :(得分:0)
非短/不带/带参数参数样本:
http://use-the-index-luke.com/sql/where-clause/bind-parameters?langtype=java#samples_bind_parameters
答案 5 :(得分:0)
This是使用PreparedStatement的最简单的例子之一,我希望它可以帮助你。