0

我正在尝试为产品插入一些详细信息,包括 id、title、category 等...

现在在标题字段中,我的数据类似于:“Voi Jeans Banana Fit Men's Trousers”,但在插入时出现以下错误:

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your     SQL syntax; check the manual that corresponds to your MySQL server version for the right   syntax to use near 's Trousers' ,'http://www.flipkart.com/voi-jeans-banana-fit-men-s- trousers/p/itmd' at line 1
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at com.mysql.jdbc.Util.handleNewInstance(Util.java:411)
at com.mysql.jdbc.Util.getInstance(Util.java:386)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1052)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3597)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3529)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1990)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2151)
at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2619)
at com.mysql.jdbc.StatementImpl.executeUpdate(StatementImpl.java:1709)
at com.mysql.jdbc.StatementImpl.executeUpdate(StatementImpl.java:1628)
at     universe.shopping.controller.shoppingcontrol.processrequest(shoppingcontrol.java:388)
at universe.shopping.controller.shoppingcontrol.doGet(shoppingcontrol.java:88)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

据我所知,基本上sql将此数据解释为“Voi Jeans Banana Fit Men”而不是“Voi Jeans Banana Fit Men's Trousers”,不包括“s Trousers”部分导致错误。

我真的需要知道如何插入包含撇号的完整标题。最好的方法是什么?

我正在插入的 jdbc 代码是:

String pid=request.getParameter("id");  // values from my jsp form 
String pname=request.getParameter("name");
String plink=request.getParameter("link");
String pkeyword1=request.getParameter("keyword1");
String pcategory=request.getParameter("catval");
String psubcategory=request.getParameter("cval");
String psubsubcategory=request.getParameter("subcval");
String pimage=request.getParameter("image");
String psecondimage=request.getParameter("secondimage");
String pthirdimage=request.getParameter("thirdimage");
String pcontent=request.getParameter("content");
String pprice=request.getParameter("price");
String pshipping=request.getParameter("shipping");
String pquantity=request.getParameter("quant");

java.sql.Connection connection = null;
CallableStatement stmt=null;
try {  
    Class.forName("com.mysql.jdbc.Driver");  
} catch (ClassNotFoundException e) {  
    System.out.println("Where is your MySQL JDBC   Driver?");  
    e.printStackTrace();  
    return;  
}  

System.out.println("MySQL JDBC Driver Registered!");  
Connection con = null;  
try {  
    con = DriverManager.getConnection("jdbc:mysql://localhost:3306/grandsho_register", "root","123456");  
} catch (SQLException e) {  
    System.out.println("Connection Failed! Check output console");  
    e.printStackTrace();  
    return;  
}  
if (con != null) {  
    System.out.println("Connection made.....");  
    try{  
        System.out.println("creating statements...");  
        String sql="{call adminproduct('"+pid+"','"+pname+"'   ,'"+plink+"' ,'"+pkeyword1+"','"+pprice+"','"+pshipping+"','"+pquantity+"','"+pcategory+"','"+psubcategory+"','"+psubsubcategory+"','"+pimage+"','"+psecondimage+"','"+pthirdimage+"','"+pcontent+"')}";
        stmt=con.prepareCall(sql);
        stmt.executeUpdate(sql);   
        System.out.println("Inserted records into the table...");  

        stmt.close();  
        con.close();  
    }catch(SQLException se){  
        se.printStackTrace();  
    }
}else {  
    System.out.println("Failed to make connection!");  
}  

请建议我一个合适的解决方案来从 jdbc 插入这些数据。

4

2 回答 2

2

而不是这样做:

 String sql="{call adminproduct('"+pid+"','"+pname+"'   ,'"+plink+"' ,'"+pkeyword1+"','"+pprice+"','"+pshipping+"','"+pquantity+"','"+pcategory+"','"+psubcategory+"','"+psubsubcategory+"','"+pimage+"','"+psecondimage+"','"+pthirdimage+"','"+pcontent+"')}";

你应该调查 PreparedStatements

本质上,您提供了一个占位符的 SQL 语句并声明每个占位符中的参数。这利用了数据库 API,这样您就不必转义撇号等,保护您免受SQL 注入

于 2013-10-24T14:44:03.113 回答
2

您应该使用参数化 SQL,而不是直接在调用本身中包含值。所以像:

// The ... is because I didn't want to count the huge number of parameters...
// You'll need to fill in the right number of question marks.
String sql = "{call adminproduct(?, ?, ?, ?, ?, ...))}";
stmt = con.prepareCall(sql);
stmt.setString(1, pid);
stmt.setString(2, pname);
// Etc... all the parameters
stmt.executeUpdate(sql);   

永远不要在 SQL 中直接包含变量值,无论它们是调用存储过程还是普通 SQL。使用参数化 SQL 有三个主要好处:

  • 它可以防止SQL 注入攻击
  • 它避免了混乱的转换(尤其是日期/时间字段)
  • 通过将 SQL 与值分开,它使您的代码更清晰。(没有所有字符串连接,SQL容易阅读。)
于 2013-10-24T14:47:32.527 回答