java - 异常 com.mysql.jdbc.exceptions.MySQLSyntaxErrorException

Question

我正在尝试将一些数据添加到我的数据库中，但出现错误:com.mysql.jdbc.exceptions.MySQLSyntaxErrorException。

代码如下:

Main.java中的AddToDatabase方法

public static void addToDatabaze(String name ,String address, String city, String phone, String email, String dateOfBirth, String age, String martialStatus, String gender, String id, String mainDepartment, String department, String training) throws ClassNotFoundException, SQLException
{
    //Databaza
    Class.forName("com.mysql.jdbc.Driver");
    String url="jdbc:mysql://***.*.*.*:****/employ";
    String uname="*****";
    String pass="***********";
    connect = DriverManager.getConnection(url,uname,pass);
    Statement statement;
    String query = "INSERT INTO employeetable (name,address,city,phone,email,dateofbirth,age,martialstatus,gender,id,maindepartment,department,training)values(" + name + "," + address + "," + city + "," + phone + "," + email + "," + dateOfBirth + "," + age + "," + martialStatus + "," + gender + "," + id + "," + mainDepartment + "," + department + "," + training + ")";
    statement = connect.createStatement();
    statement.execute(query);
}

AddNewEmployeeController.java

    private Main main;
    @FXML
    private TextField nameField;
    @FXML
    private TextField addressField;
    @FXML
    private TextField cityField;
    @FXML
    private TextField phoneField;
    @FXML
    private TextField emailField;

    @FXML
    private DatePicker dateOfBirth;
    @FXML
    private TextField ageField;
    @FXML
    private ChoiceBox martialStatusBox;

    @FXML
    private RadioButton maleButton;
    @FXML
    private RadioButton femaleButton;


    @FXML
    private TextField idField;
    @FXML
    private ComboBox mainDepartmentBox;
    @FXML
    private ComboBox departmentBox;
    @FXML
    private CheckBox yesBox;
    @FXML
    private CheckBox noBox;

@FXML
    private void addButton() throws ClassNotFoundException, SQLException
    {
        if(yesBox.isSelected())
            {
                main.addToDatabaze(nameField.getText(),addressField.getText(),cityField.getText(),phoneField.getText(),emailField.getText(),dateOfBirth.getValue().toString(),ageField.getText(),martialStatusBox.getSelectionModel().getSelectedItem().toString(),"Male",idField.getText(),mainDepartmentBox.getSelectionModel().getSelectedItem().toString(),departmentBox.getSelectionModel().getSelectedItem().toString(),"Yes");
                closeBtn();
            }
    }

输出:

Caused by: com.mysql.jdbc.exceptions.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Years,Single,Male,1404996,Electrical,Design,Yes)' at line 1
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:936)
at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:2985)
at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1631)
at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:1723)
at com.mysql.jdbc.Connection.execSQL(Connection.java:3277)
at com.mysql.jdbc.Connection.execSQL(Connection.java:3206)
at com.mysql.jdbc.Statement.execute(Statement.java:727)
at employee.Main.addToDatabaze(Main.java:58)
at employee.view.AddNewEmployeeController.addButton(AddNewEmployeeController.java:164)
... 118 more

附注Main:java:58 是这一行:

statement.execute(query);

AddNewEmployeeController.java:164 是这一行:

main.addToDatabaze(nameField.getText(),addressField.getText(),cityField.getText(),phoneField.getText(),emailField.getText(),dateOfBirth.getValue().toString(),ageField.getText(),martialStatusBox.getSelectionModel().getSelectedItem().toString(),"Male",idField.getText(),mainDepartmentBox.getSelectionModel().getSelectedItem().toString(),departmentBox.getSelectionModel().getSelectedItem().toString(),"Yes");

年，单例，男，1404996，机电，设计，是的是: 当我尝试将数据添加到:TextField ageField、ChoiceBox martialStatusBox、“Male”、idField、ComboBox mainDepartmentBox、ComboBox departmentBox、“Yes”时。

Answer 1

您需要使用 prepared statements :

try (PreparedStatement statement = connection.prepareStatement(
        "INSERT INTO employeetable (name,address,city,phone,email,dateofbirth,age,martialstatus,gender,id,maindepartment,department,training)" + 
        " values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
    statement.setString(1, name);
    statement.setString(2, address);
    // ... etc for the other fields

    statement.executeUpdate();
}

原始代码的问题在于您忘记在字符串值周围添加引号。天真的解决方案是使用

"...('" + name + "','" + address + "'..."

然而这仍然很糟糕，因为猜猜如果 name 的值为 O'Reilly 会发生什么。这称为 SQL 注入(inject)，它是最大的安全问题之一，即使使用如上所示的准备好的语句也可以轻松避免它。