下面是例子:String sql="insert into customers(idcustomer,username,password,realname,email,phone,zip,address) values(?,?,?,?,?,?,?,?);
phone和zip不需要引号String sql="insert into customers(idcustomer,username,password,realname,email,phone,zip,address) values('"+id+"','"+username+"','"+password+"','"+realname+"','"+email+"',"+phone+","+zip+",'"+address+"')";
如里用?要用perperment吧,好像是,呵呵楼主再看看引号问题
(idcustomer,username,password,realname,email,phone,zip,address) values("'"+id+"','"+username+"','"+password+"','"+realname+"','"+email+"','"+phone+"','"+zip+"','"+address+"'")";
你试试这个语句,你那语句在插入变量的一开始和结尾,都少了",红色的你仔细看看
String sql="insert into customers(idcustomer,username,password,realname,email,phone,zip,address) values(?,?,?,?,?,?,?,?); 安全 不出问题。拼sql语句肯定会有sql漏洞。正式网站没有这么写的。
String sql="insert into customers
(idcustomer,username,password,realname,email,phone,zip,address) values("'"+id+"','"+username+"','"+password+"','"+realname+"','"+email+"',"+phone+","+zip+",'"+address+"'")";
而且还把phone zip 改称varchar类型
String sql="insert into customers values('"+id+"','"+username+"','"+password+"','"+realname+"','"+email+"','"+phone+"','"+zip+"','"+address+"')";
db.update(sql);
反正这样就好了
也不知道在怎么回事