我运行 FindBugs,这是第 2 行的错误。
Statement st = con.createStatement();
st.executeUpdate("UPDATE menu set menu.name'"
+ value2 + "', menu.info'" + value3
+ "', menu.price'" + value4
+ "' where menu.menuID='" + value1 + "'");
JOptionPane.showMessageDialog(p2,
"Updated successfully");
con.close();
} catch (Exception ex) {
JOptionPane.showMessageDialog(p2,
"Error in updating edit fields");
}
}
} catch (Exception ex) {
JOptionPane.showMessageDialog(p2, "Error");
}
}
});
我运行 FindBugs,这是第 2 行的错误。
Bug: ie.lyit.flight.Changeadd$5.actionPerformed(ActionEvent) passes a nonconstant String to an execute or addBatch method on an SQL statement The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks.
Rank: Troubling (10), confidence: High Pattern: SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE Type: SQL, Category: SECURITY (Security)
我想知道是否有人知道如何消除这个错误以及我将如何去做?
最佳答案
参见the JDBC tutorial on using prepared statements .
在这种情况下,这可能看起来像:
stmt = con.prepareStatement("UPDATE menu set menu.name=?, menu.info=?, menu.price=? where menu.menuID=?")
stmt.setString(1, value2); /* menu.name */
stmt.setString(2, value3); /* menu.info */
stmt.setFloat(3, value4); /* menu.price */
stmt.setInt(4, value1); /* menuID */
stmt.executeUpdate();
关于java - FindBugs 说我需要 "use a prepared statement"?如何?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/29752588/