0

我设计了一个系统,我希望用户首先从组合框中选择他要插入的表的名称,然后他将输入其余字段。我的问题是我怎样才能让用户输入名称使用sql语句的表..我写了以下没有但它不起作用??

 try { 
            Object service = Service_ComboBox.getSelectedItem(); 
            String ref = "0";  
            String title = title_TextField1.getText(); 
            Object riskRating = riskRating_ComboBox3.getSelectedItem();
            Object rootCause = rootCause_ComboBox4.getSelectedItem(); 
            Object impact = impact_ComboBox1.getSelectedItem(); 
            Object likelihood = likelihood_ComboBox2.getSelectedItem(); 
            String efforts = efforts_TextField7.getText(); 
            String finding = finding_TextField9.getText(); 
            String implication = implication_TextArea1.getText(); 
            String recommendation = recommendation_TextArea2.getText(); 

          Connection  conn= DriverManager.getConnection ("jdbc:oracle:thin:@localhost:1521:XE","SYSTEM","*******");
             String query = "insert into ? (Service,Ref,Title,Risk_Rating,Root_cause,Impact ,Likelihood,Efforts,Finding,Implication,Recommendation)values ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? , ?)"; 

         PreparedStatement myStatment = conn.prepareStatement(query);

            myStatment.clearParameters();

     myStatment.setString(1, service.toString());
     myStatment.setString(2, service.toString());
     myStatment.setString(3, ref);
     myStatment.setString(4, title); 
     myStatment.setString(5, riskRating.toString());
     myStatment.setString(6, rootCause.toString());
     myStatment.setString(7, impact.toString());
     myStatment.setString(8, likelihood.toString());
     myStatment.setString(9, efforts);
     myStatment.setString(10, finding);
     myStatment.setString(11, implication);
     myStatment.setString(12, recommendation);


            boolean myResult = myStatment.execute(); 


           System.out.println("done");


        } catch (SQLException ex) {

            JOptionPane.showMessageDialog(this, "Information is missing or incorrect! Please Make sure to enter correct information");
            Logger.getLogger(Insert_info.class.getName()).log(Level.SEVERE, null, ex);
            return;

        }

        JOptionPane.showMessageDialog(this, "Your information was saved successfully!");
4

2 回答 2

0

使用以下语法:

String query = "insert into " &tablename "bla bla predicates"

为了避免 sql 注入,在您的数据库中创建角色并授予访问者/用户想要使用的表的访问权限。
或者您可以使用通配符:
创建变量 tbl_name

String query = "insert into "(select table_name from user_tables where table_name like '%tbl_name%')"<br/>

- 接下来创建一个决策“IF”并将通配符的输出放入其中。如果它与您拥有的表匹配,那么如果不使用错误消息处理它就可以了。

于 2012-07-19T13:20:05.313 回答
0 
insert into ?

您不能将绑定变量用于模式对象名称。原因是当你准备语句时,数据库需要知道涉及到哪些表,并决定使用哪些索引,所以需要知道查询SQL(只有数据可以改变)。

所以如果你想这样做,你必须使用字符串插值来构造查询(只针对表名,继续对数据使用绑定变量!)。

String query = "insert into "+ tableName + ....

确保您验证了这一点tableName。在您的情况下,可能可以根据有效表名的 HashSet 检查它。不要让这成为 SQL 注入问题。

于 2012-07-19T12:50:34.403 回答