-1

我正在尝试使用 java 程序将值从一台服务器插入到另一台服务器。这是我的代码:-

public static void main(String[] args) throws FileNotFoundException {
    // TODO code application logic here

    try {
        Class.forName("oracle.jdbc.OracleDriver");
    } catch (Exception exception) {
    }

    Connection conn = null;
    Connection conn1 = null;

    ResultSet rs, rs1 = null;

    Statement pst = null;


    try {
        //      dbConnect.executequery(sdate, edate);
        conn = DriverManager.getConnection("jdbc:oracle:thin:@31.4.224.76:1521:RPTPSG", "pihist", "pihist");
        String query = "select * from messagemasterhistory where ROWNUM<=1572660";
        // String query="select * from messagemasterhistory where createdate>='28-JAN-11' and createdate<='18-FEB-2011'";
        pst = conn.createStatement(java.sql.ResultSet.TYPE_FORWARD_ONLY, java.sql.ResultSet.CONCUR_READ_ONLY);

        // String sql="insert into test(SRN ,UTR) values (";
        // pst=conn.prepareStatement(sql);

        // rs.absolute(2000);
        //  pst.setFetchSize(2000);
        //  pst.setMaxRows(1500000);
        pst.setFetchDirection(ResultSet.FETCH_FORWARD);

        rs = pst.executeQuery(query);

        //  String statment="insert into test(UTR,SRN) values('abc','1')";

        //  PrintWriter wt=new PrintWriter("ritima2.txt");
        conn1 = DriverManager.getConnection("jdbc:oracle:thin:@31.4.224.81:1521:RPTPSG", "rptr", "rptr");
        Statement stat1 = conn1.createStatement();
        while (rs.next()) {
            String str = rs.getString("FIELDDATA");
            String str1 = rs.getString("FIELDINFO");
            String statment = "insert into MESSAGEMASTERHISTORY2(UTR,CREATEDATE,SENDER,RECEIVER,SUBMESSAGETYPE,FIELDINFO,FIELDDATA,DUPLICATE) values(" + "'" + rs.getString("UTR") + "'" + "," + "TO_DATE('" + rs.getDate("CREATEDATE") + "'" + ",'YYYY-MM-DD\" \"HH24:MI:SS')" + "," + "'" + rs.getString("SENDER") + "'" + "," + "'" + rs.getString("RECEIVER") + "'" + "," + "'" + rs.getString("SUBMESSAGETYPE") + "'" + "," + "'" + str1 + "'" + "," + "'" + str + "'" + "," + rs.getInt("DUPLICATE") + ")";
            // String statment="insert into test1 (fielddata,utr) values("+"'"+(rs.getString("fielddata"))+"'"+","+"'"+rs.getString("UTR")+"')";
            System.out.println(count);
            stat1.executeQuery(statment);

            System.out.println(str);
            System.out.println(str1);
            // System.out.println(rs.getClob("FIELDDATA"));
            System.gc();
            count++;
        }
        conn1.commit();
        conn1.close();
        // wt.close();
        System.out.println("Completed");
        conn.close();

    } catch (Exception e) {
        e.printStackTrace();

    }

}
}

插入几行(6274)后,它给出错误“java.sql.SQLException:ORA-00917:缺少逗号

    at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:113)
    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:331)
    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:288)
    at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:754)
    at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:210)
    at oracle.jdbc.driver.T4CStatement.executeForRows(T4CStatement.java:963)
    at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1192)
    at oracle.jdbc.driver.OracleStatement.executeQuery(OracleStatement.java:1315)
    at javaapplication2.Main.main(Main.java:73)
4

2 回答 2

3

这不是在数据库中插入数据的一种非常安全的方法。它容易受到 SQL 注入的攻击。这可能是正在发生的事情。

您可能'在某处插入的数据中有一个,这会过早结束查询。

您应该查看这篇文章,它将向您展示如何使用准备好的语句或其他方法来保护您的查询。

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

如果你好奇,你也可以看看 Hibernate。通过一些配置,它可以安全地持久化您的实体,而无需自己编写冗长的查询

http://docs.jboss.org/hibernate/orm/4.2/quickstart/en-US/html/

于 2013-10-22T14:04:00.020 回答
3

您从源数据库复制的字符串之一可能包含非法的 SQL 代码序列。

您应该考虑使用带有参数的 PreparedStatement,而不是使用字符串连接构造 SQL。PreparedStatement 应该是预编译的,你不需要担心转义你的字符串。

就像是:

        String statment = "insert into MESSAGEMASTERHISTORY2(UTR,CREATEDATE,SENDER,RECEIVER,SUBMESSAGETYPE,FIELDINFO,FIELDDATA,DUPLICATE) values(?,?,?,?,?,?,?,?)";
        PreparedStatement ps = conn1.prepareStstement(statement)
        while (rs.next()) {
                    ps.setString(1, rs.getString("UTR"));
                    ps.setDate(2, rs.getDate("CREATEDATE"));
                    // etc etc

                    ps.executeUpdate();
                    conn1.commit(); //maybe you want this outside the loop
        }

请参阅http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

于 2013-10-22T14:13:24.197 回答