我正在使用准备好的语句来保护我的 sql 查询免受 sql 注入攻击。该声明在另一篇文章中提出,我按照指示实施了它。现在更新查询运行时出现错误。它只发生在我的程序中的几个步骤。这是代码的一部分和详细说明错误的注释区域。如果我需要发布整个程序,请告诉我。
这是片段:
String updateQuery ="" + " Update student"
+ "Set firstname = ?, "
+ " lastname = ?, "
+ " gpa = ? "
+ " status = ?, "
+ " mentor = ?, "
+ " level = ?, "
+ " thesisTitle = ?, "
+ " thesisAdvisor = ?, "
+ " company = ?, "
+ "Where studentid = ? ";
//This seems to work right up to set #7, then the program errors out. It indicates a syntax error that I cannot find?
// I wonder if the error is version dependant? Error points to MySQL version for correct syntax to use near '= ?, that would be right after firstName.
PreparedStatement pstmt = conn.prepareStatement(updateQuery); //to protect against SQL injection attacks
pstmt.setString(1,firstName);
pstmt.setString(2,lastName);
pstmt.setDouble(3,gpa);
pstmt.setString(4,status);
pstmt.setString(5,mentor);
pstmt.setString(6,level);
pstmt.setString(7,thesisTitle);
pstmt.setString(8,thesisAdvisor);
pstmt.setString(9,company);
pstmt.setString(10,studentID);
int rowsInserted = stmt.executeUpdate(updateQuery);
System.out.print("Number of Rows inserted = " + rowsInserted);
// Close the statement and the connection
stmt.close();
conn.close();