0

我是一名程序员学习者。

我想以以下格式获取 MySQL 查询

 select status from training where status in ("Open", "Delivered")

从我的代码

if(params.openCheckBox){
    query +=" ( t.status  IN ("+params.openCheckBox+", "+params.DeliveredCheckBox+")" 
    query +=" )"
}

但它给了

   select status from training where status in (Open, Delivered)

这里“”(缺少双引号)

4

2 回答 2

4

用 , 转义双引号\MySQL 接受双引号来包装字符串。

query +=" ( t.status  IN (\""+params.openCheckBox+"\", \""+params.DeliveredCheckBox+"\")" 
query +=" )"

或者只使用单引号

query +=" ( t.status  IN ('"+params.openCheckBox+"', '"+params.DeliveredCheckBox+"')" 
query +=" )"

上面的查询很容易受到sql injection. PreparedStatement像下面这样使用

代码片段:

dbConnection = getDBConnection();
String query = "SELECT .... FROM .... WHERE t.status IN (?, ?)";
PreparedStatement preparedStatement = dbConnection.prepareStatement(query);
preparedStatement.setString(1, params.openCheckBox);
preparedStatement.setString(2, params.DeliveredCheckBox);
ResultSet rs = preparedStatement.executeQuery();

来源

于 2013-01-17T07:44:13.303 回答
1

您可以改用单引号。

query +=" ( t.status  IN ('"+params.openCheckBox+"', '"+params.DeliveredCheckBox+"')"
于 2013-01-17T07:50:46.717 回答