0

我有两个问题,但我目前只在纠正一个问题。在第 331 行的程序中,当我执行它时,我收到错误(catch 语句),表明 SQL 语句有错误。它与其他(我看到的)相同,我没有看到错误。这是给出错误的部分的片段。我应该能够更新 mysql 数据库,就像其他部分一样,这个错误。我应该去哪里看?有些东西没有正确发布,我也在看,对不起。

    //String st = "DELETE FROM student WHERE Description = 'Michael'";
    // String st = “UPDATE student SET Description = + ‘Michael’ WHERE studentID = ‘123’”;
    String studentID;
    String firstName;
    String lastName;
    double gpa;
    String status;
    String mentor;
    String level;
    String thesisTitle;
    String thesisAdvisor;
    String company;

    Scanner in = new Scanner(System.in);

    // print statements to match the database input 

    System.out.println("Now let's update a record");
    System.out.println("Please enter the student ID of the record you want to update >");
    studentID = in.next();
    System.out.println("Please enter the new First Name >");
    firstName = in.next();
    System.out.println("Please enter the new Last Name >");
    lastName = in.next();
    System.out.println("Please enter the new GPA[X.XX] >");
    gpa = in.nextDouble();
    System.out.println("Please enter the new Status [Active or Inactive] >");
    status = in.next();
    System.out.println("Please enter the new mentor >");
    mentor = in.next();
    System.out.println("Please enter the new level >");
    level = in.next();
    System.out.println("Please enter the new thesis Title >");
    thesisTitle = in.next();
    System.out.println("Please enter the new thesis Advisor's name >");
    thesisAdvisor = in.next();
    System.out.println("Please enter the new Company Name >");
    company = in.next();




//      stmt.executeUpdate("Update student Set studentID='" + studentID + "', firstName='" + firstName + "', lastName='" + lastName + "', gpa=" + gpa + "', status='" + status + "', mentor='" + mentor  + "', level='" + level + "', theseisTitle='" + thesisTitle + "', thesisAdvisor='" + thesisAdvisor + "', company='" + company + "WHERE studentID = '" + studentID + " '");





    stmt.executeUpdate("Update student Set studentID='" + studentID + "',firstName'" + firstName + "', lastName='" + lastName + "', gpa=" + gpa + "', status='" + status + "', mentor='" + mentor  + "', level='" + level + "', theseisTitle='" + thesisTitle + "', thesisAdvisor='" + thesisAdvisor + "', company='" + company + "WHERE studentID = '" + studentID + " '");

    // Close the statement and the connection

    stmt.close();
    conn.close();

} catch (Exception e) {
    System.err.println("ERROR: Either cannot connect to the DB " + " or error with the SQL statement");
}
4

3 回答 3

1

我看到的一个问题是您缺少=at firstName'" + firstName +

于 2012-11-19T02:44:37.117 回答
1

您的查询的一个问题是它在firstname

stmt.executeUpdate("Update student 
                    Set studentID='" + studentID + "',
                        firstName'" + firstName + "',                                          
                                 ^ here

另一个是,它很容易受到SQL injection. 请参数化您的查询,使用PreparedStatement,示例

String updateQuery = ""
        + "UPDATE student "
        + "SET    firstname = ?, "
        + "       lastname = ?, "
        + "       gpa = ?, "
        + "       status = ?, "
        + "       mentor = ?, "
        + "       level = ?, "
        + "       theseistitle = ?, "
        + "       thesisadvisor = ?, "
        + "       company = ? "
        + "WHERE  studentid = ? ";

PreparedStatement pstmt = con.prepareStatement(updateQuery);
pstmt.setString(1,firstName)
pstmt.setString(2,lastName)
pstmt.setInt(3,gpa)
pstmt.setString(4,status)
pstmt.setString(5,mentor)
pstmt.setString(6,level)
pstmt.setString(7,thesisTitle)
pstmt.setString(8,thesisAdvisor)
pstmt.setString(9,company)
pstmt.setString(10,studentID)

我们为什么要使用PreparedStatement

  • 防止SQL Injection
  • 防止SQL Injection
  • 使代码更具可读性,尤其是当您有大量查询时

资源

于 2012-11-19T02:46:40.520 回答
0

就在 WHERE 子句之前,您在附加公司之后省略了结束引号。

于 2012-11-19T02:44:53.360 回答