问题描述
我是 Java 新手,正在尝试习惯语法并将数据推送到 MysqL 表。我遇到了这个问题,无法弄清楚我做错了什么。执行我的更新命令时出现以下错误。
java.sql.sqlSyntaxErrorException: You have an error in your sql Syntax; check the manual that corresponds to your MysqL server version for the right Syntax to use near ''occupation' = 'cat' WHERE first_name = 'kevin' AND last_name = 'hudgens'' at line 1
at com.MysqL.cj.jdbc.exceptions.sqlError.createsqlException(sqlError.java:120)
at com.MysqL.cj.jdbc.exceptions.sqlExceptionsMapping.translateException(sqlExceptionsMapping.java:122)
at com.MysqL.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:953)
at com.MysqL.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1092)
at com.MysqL.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1040)
at com.MysqL.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1347)
at com.MysqL.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1025)
at Driver.updateContact(Driver.java:172)
at Main.main(Main.java:119)
主文件
System.out.println("Please enter the first name of the contact you want to update.");
first_name = input.nextLine();
System.out.println("Please enter the last name of the contact you want to update.");
last_name = input.nextLine();
System.out.println("Are you sure you want to update " + first_name + " " + last_name
+ "'s information. YES or NO");
String verifyUpdate = input.nextLine();
// lower for comparison
// verifyUpdate = verifyUpdate.toLowerCase();
if (verifyUpdate.equals("YES")) {
break;
} else if (verifyUpdate.equals("NO")) {
System.out.println(
"Please enter the correct first and last name of the contact you would like to update");
} else {
System.out.println("You didnt enter the correct answer. YES or NO");
}
}
// inform user what they can update
System.out.println("What would you like to update? Options are:"
+ "\nFirsT NAME \n LAST NAME \n PHONE NUMBER \n EMAIL \n OCCUPATION");
// Collect the choices
String updateColumnChoice = input.nextLine();
System.out.println("What would you like to update it to? ");
String updatedValue = input.nextLine();
driver.updateContact(first_name,last_name,updateColumnChoice,updatedValue);
这是准备好的语句
public static void updateContact(String first_name,String last_name,String updatedColumn,String toBeUpdatedValue) {
try {
// Get connection to database
Connection myConn = DriverManager.getConnection(info);
// Create sql command for deleting
String query = "UPDATE contacts SET ? = '?' WHERE first_name = '?' AND last_name = '?' ";
PreparedStatement preparedStmt = myConn.prepareStatement(query);
preparedStmt.setString(1,updatedColumn);
preparedStmt.setString(2,toBeUpdatedValue);
preparedStmt.setString(3,first_name);
preparedStmt.setString(4,last_name);
// push prepared statement to the database
preparedStmt.executeUpdate();
// close the connection to the database
myConn.close();
} catch (Exception exc) {
exc.printstacktrace();
}
}
对此的任何帮助将不胜感激。以及对我的代码的任何普遍批评。
解决方法
据我所知,您只能将 PreparedStatement 的参数用于值,不能用于元数据。如果您需要 updatedColumn 是动态的,您可以这样做:
String query = "UPDATE contacts SET " + updatedColumn + " = '?' WHERE first_name = '?' AND last_name = '?' ";
请注意,您必须确保 updatedColumn 被正确引用/转义,特别是如果它来自用户数据(即 SQL 注入攻击)。