MySQL语法错误当我尝试通过JDBC执行SQL查询

egmofgnx  于 12个月前  发布在  Mysql
关注(0)|答案(2)|浏览(206)

我正在构建一个Java微服务,它使用AWS Aurora MySQL进行某些操作。代码连接到数据库很好,我的前三个查询都抛出了类似的错误,直到我意识到我丢失了数据库。
然而,最后一个查询(update语句)仍然给我同样的语法错误,即使是使用了codeon,我也不知道为什么。
代码如下:

try {
            conn = DriverManager.getConnection(jdbcUrl);

            setupStatement = conn.createStatement();
            idInsertStatement = conn.createStatement();
            secretNumberUpdateStatement = conn.createStatement();

            String createTableIfNotExists = "CREATE TABLE IF NOT EXISTS secret_number_generator(id BIGINT NOT NULL AUTO_INCREMENT PRIMARY KEY, secret_number VARCHAR(20);";

            String generateSecretId = "INSERT INTO secret_number_generator VALUES(null,null);";

            String getLastRecordId = "SELECT id FROM secret_number_generator ORDER BY id DESC LIMIT 1;";

            setupStatement.addBatch(createTableIfNotExists);
            idInsertStatement.addBatch(generateSecretId);
            setupStatement.executeBatch();
            idInsertStatement.executeBatch();
            readStatement = conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE, ResultSet.CONCUR_READ_ONLY);
            resultSet = readStatement.executeQuery(getLastRecordId);

            while(resultSet.next()){
                id = String.valueOf(resultSet.getLong("id"));
            }

            /*
              Logic for setting up secretNumber
            */

            }
            secretNumber = "R" + env + id + randomDigit;

            String updateSecretNumber = "UPDATE secret_number_generator SET secret_number = " + secretNumber + " WHERE id = " + id + ";";

            secretNumberUpdateStatement.addBatch(updateSecretNumber);
            secretNumberUpdateStatement.executeBatch();

            resultSet.close();
            setupStatement.close();
            idInsertStatement.close();
            secretNumberUpdateStatement.close();
            readStatement.close();
            conn.close();

        } catch (SQLException ex) {
            // Handle any errors
            System.out.println("SQLException: " + ex.getMessage());
            System.out.println("SQLState: " + ex.getSQLState());
            System.out.println("VendorError: " + ex.getErrorCode());
        } finally {
            System.out.println("Closing the connection.");
            if (conn != null) try { conn.close(); } catch (SQLException ignore) {}
        }

字符串
我得到的更新查询的错误是

SQLException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1


如前所述,在我在前面的查询末尾添加一个查询之前,它们也会显示相同的错误,现在它只显示在最后一个查询中。

yptwkmov

yptwkmov1#

虽然前面的例子给了你想要的结果,但它很容易在恶意变量值上中断。这个版本针对SQL注入进行了强化:
像这样使用PreparedStatement:

PreparedStatement ps = connection.prepareStatement(
    "UPDATE secret_number_generator " +
    "SET secret_number = ? " +
    "WHERE id = ?";
ps.setString(1, secretNumber);
ps.setString(2, id);
int count = ps.executeUpdate();
System.out.println("updated %d rows", count);

字符串

lb3vh1jj

lb3vh1jj2#

由于您已经将列secretNumber创建为VARCHAR(20),因此在添加它之前,我将检查以确保secretNumber最多为20个字符。
第30章你有以下的

secretNumber = "R" + env + id + randomDigit;

字符串
所以,你可以使用调试器,或者在第31行你可以把下面的。

if (secretNumber.length() > 20) throw new Exception();


如果这不起作用,我想你可以尝试在值周围加上单引号。

String updateSecretNumber =
   "UPDATE secret_number_generator " +
   "SET secret_number = '" + secretNumber + "' " +
   "WHERE id = '" + id + "'";


此外,不需要在单个语句的结尾处添加一个后缀。

相关问题