我已经阅读了许多类似的问题,但是没有解决方案对我有用。
我正在使用jersey for CRUD编写RESTful API,因此我需要实现SQL语句来执行事务。但是对于每笔交易,都发生了同样的错误,该程序说我的SQL语法错误。
我搜索了许多解决方案,但没有人为我工作,并且我的SQL代码没有发现任何错误
(其他3个操作(包括创建,删除和更新显示熟悉的错误)
以下是我的Java代码供阅读:
public HotelBean read(int hotelId, int roomId) {
List<RoomBean> lBean = new ArrayList<RoomBean>();
try {
Connection conn = DBFactory.connectDB().getConn();
Statement statement = conn.createStatement();
ResultSet rs = statement.executeQuery("SELECT T1.HOTEL_ID, HOTEL_NAME, ROOM_ID, ROOM_NAME, OCCUPANCY, VACANCY, TOTAL_ROOM FROM HPMSDB.ROOM_INFO T1 INNER JOIN HPMSDB.HOTEL_INFO T2 ON T1.HOTEL_ID=T2.HOTEL_ID" + " WHERE T2.HOTEL_ID =" + hotelId + "AND T2.ROOM_ID="+ roomId);
while (rs.next()) {
RoomBean roomBean = new RoomBean();
roomBean.setHotelId(rs.getInt(1));
roomBean.setHotelName(rs.getString(2));
roomBean.setRoomId(rs.getInt(3));
roomBean.setRoomName(rs.getString(4));
roomBean.setOccupancy(rs.getInt(5));
roomBean.setVancancy(rs.getInt(6));
roomBean.setTotalRoom(rs.getInt(7));
lBean.add(roomBean);
}
conn.close();
} catch (Exception ex) {
ex.printStackTrace();
}
HotelBean hotelBean = new HotelBean();
hotelBean.setRoomBean(lBean);
return hotelBean;
}
以下是我的数据库:
CREATE DATABASE HPMSDB DEFAULT CHARACTER SET UTF8
DEFAULT COLLATE UTF8_GENERAL_CI;
DROP TABLE IF EXISTS HPMSDB.HOTEL_INFO;
CREATE TABLE HPMSDB.HOTEL_INFO (
HOTEL_ID INT NOT NULL,
HOTEL_NAME VARCHAR(64),
RESORT_MANAGE VARCHAR(64),
PRIMARY KEY(HOTEL_ID)
);
DROP TABLE IF EXISTS HPMSDB.ROOM_INFO;
CREATE TABLE HPMSDB.ROOM_INFO (
HOTEL_ID INT NOT NULL,
ROOM_ID INT NOT NULL,
ROOM_NAME VARCHAR(64) NOT NULL,
OCCUPANCY INT,
VACANCY INT,
TOTAL_ROOM INT,
PRIMARY KEY(HOTEL_ID, ROOM_ID)
);
以下是读取错误消息:
java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'T2.ROOM_ID=2' at line 1
以下是创建错误消息:
java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE HOTEL_ID =2 AND ROOM_ID=1' at line 1
我对于所有创建,更新,读取和删除都显示相同错误的地方感到非常困惑。
感谢您的时间,祝您有愉快的一天!
答案 0 :(得分:4)
问题是双重的。
一个是字符串中AND关键字之前没有空格:
SELECT T1.HOTEL_ID, HOTEL_NAME, ROOM_ID, ROOM_NAME, OCCUPANCY, VACANCY, TOTAL_ROOM
FROM HPMSDB.ROOM_INFO T1 INNER JOIN HPMSDB.HOTEL_INFO T2
ON T1.HOTEL_ID=T2.HOTEL_ID" + " WHERE T2.HOTEL_ID =" + hotelId + "AND T2.ROOM_ID="+ roomId
会变成:
SELECT T1.HOTEL_ID, HOTEL_NAME, ROOM_ID, ROOM_NAME, OCCUPANCY, VACANCY, TOTAL_ROOM
FROM HPMSDB.ROOM_INFO T1 INNER JOIN HPMSDB.HOTEL_INFO T2
ON T1.HOTEL_ID=T2.HOTEL_ID WHERE T2.HOTEL_ID =1234AND T2.ROOM_ID=9999
^^^^^^^
LOOK!
但是更大的问题是您使用字符串concat将值放入SQL中。这是上线时被黑客入侵的绝佳方式
上面链接的网站提供了有关使用PreparedStatement的建议。请记住,如果遇到“我想使用参数,但我只是通过字符串concat来构建此SQL;没有其他方法”的情况,请记住-没有什么可以阻止您串联一个参数,然后用值填充参数;始终避免将值连接到SQL中
假设您有两个数组:
columns[0] = "hotelid";
values[0] = "RoyalPalace";
columns[1] = "roomnum";
values[1] = "99";
您可能认为您必须像这样制作sql:
string sql = "select * from hotels where 1=1 ";
for(int i=0; i<columns.length; i++){
sql = sql + " AND " + columns[i] + " = " + values[i]; // no no; do not concat values in!
}
输入Concat参数,然后进行设置(Hibernate语法):
string sql = "select * from hotels where 1=1 ";
for(int i=0; i<columns.length; i++){
sql = sql + " AND " + columns[i] + " = :p" + i; // yes, concat a parameter named pX in!
}
Query query = session.createQuery(sql);
for(int i=0; i<columns.length; i++){
query.setString(":p"+i, values[i]); // give the parameters a value
}
这是我所知的一个me脚的例子。但是,以防万一您发现自己需要结合价值的情况-永远不会做