例如
StatementRecordset1 = ConnRecordset1.prepareStatement("select * from users where name like '%?%'",ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_READ_ONLY);
StatementRecordset1.setString(1,'abc');这样总会有问题的,要么就出错,要么就查不到结果。如果把参数直接嵌套到sql语句里面就正常了,但这就变得不安全。请问应该怎样处理呢?
StatementRecordset1 = ConnRecordset1.prepareStatement("select * from users where name like '%?%'",ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_READ_ONLY);
StatementRecordset1.setString(1,'abc');这样总会有问题的,要么就出错,要么就查不到结果。如果把参数直接嵌套到sql语句里面就正常了,但这就变得不安全。请问应该怎样处理呢?
StatementRecordset1 = ConnRecordset1.prepareStatement("select * from users where name like ?",ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_READ_ONLY);
StatementRecordset1.setString(1,'%abc%');
用StringBuffer sbSql = new StringBuffer("");
sbSql.append("select * from users where name like '"+Your_parameter_Name+"'");
StatementRecordset1 = ConnRecordset1.prepareStatement(sbSql.toString());
to 楼主
setString(int,String);
第二个参数是一个字符串 不能这么写setString(1,'abc');
另外 setString设置的sql会自动加入单引号
也就是说如果写成这样 setString(1,"'abc'"); sql里的相应位置会像这样like '%'abc'%'",
这样写setString(1,"abc"); 另外小批量的数据库操作Statement的执行效率要比PrepareStatement高。
StatementRecordset1 = ConnRecordset1.prepareStatement("select * from users where name like ?",ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_READ_ONLY);
StatementRecordset1.setString(1,"%abc%");
程序没有报错,但就是查不到结果。如果把%abc%直接嵌到sql语句里面就可以。