我正在将字符串数组传递给PreparedStatement。我正在使用 mysql、jsp 和存储过程,但它没有从数据库获取数据:
String searchbycategory[] = request.getParameterValues("category");
StringBuilder sb= new StringBuilder();
String filter = "";
for(int i = 0; i < searchbycategory.length; i++) {
sb.append( "'"+searchbycategory[i]+"'," );
}
filter = sb.toString();
filter = filter.substring(0, filter.length()-1);
PreparedStatement pstmt = con.prepareStatement("{call some(?)}");
pstmt.setString(1, filter);
ResultSet resultset = pstmt.executeQuery();
最佳答案
如果searchbycategory的长度为1,您的程序应该按预期工作。 问题是您将输入字符串连接成一个。
如果你想防止程序中的SQL注入(inject), 每个searchbycategory 应映射到PrepareStatement 中的一个参数。例如:
String searchbycategory[] = request.getParameterValues("category");
StringBuilder sb = new StringBuilder().append("select col_name from table_name where category in (");
for (int i = 0; i < searchbycategory.length; i++) {
sb.append("?,");
}
sb.setCharAt(sb.length()-1,')');
PreparedStatement pstmt = con.prepareStatement(sb.toString());
for (int i = 0; i < searchbycategory.length; i++) {
pstmt.setString(i+1, searchbycategory[i]);
}
ResultSet resultset = pstmt.executeQuery();
关于mysql - 我将字符串数组传递给PreparedStatement..我正在使用mysql、jsp和存储过程,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36623061/