Java PreparedStatement.setString() 方法不带引号
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2917496/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PreparedStatement.setString() method without quotes
提问by Slavko
I'm trying to use a PreparedStatement with code similar to this:
我正在尝试使用类似以下代码的 PreparedStatement:
SELECT * FROM ? WHERE name = ?
Obviously, what happens when I use setString() to set the table and name field is this:
显然,当我使用 setString() 设置表和名称字段时会发生什么:
SELECT * FROM 'my_table' WHERE name = 'whatever'
and the query doesn't work. Is there a way to set the String without quotes so the line looks like this:
并且查询不起作用。有没有办法设置不带引号的字符串,因此该行如下所示:
SELECT * FROM my_table WHERE name = 'whatever'
or should I just give it up and use the regular Statement instead (the arguments come from another part of the system, neither of those is entered by a user)?
或者我应该放弃它并使用常规 Statement 代替(参数来自系统的另一部分,这些参数都不是由用户输入的)?
采纳答案by mdma
Parameters cannot be used to parameterize the table, or parameterize any database objects. They're mostly used for parameterizing WHERE/HAVING clauses.
参数不能用于参数化表,或参数化任何数据库对象。它们主要用于参数化 WHERE/HAVING 子句。
To do what you want, you'll need to do the substitution yourself and create a regular statement as needed.
要执行您想要的操作,您需要自己进行替换并根据需要创建常规语句。
When you use a prepared statement, this is a hint to the database to do up front processing on the statement - e.g. parse the string and possibly determine an execution plan. If the objects used in the query can change dynamically, then the database could not do much up front preparation.
当您使用准备好的语句时,这是对数据库进行预先处理的提示——例如解析字符串并可能确定执行计划。如果查询中使用的对象可以动态更改,那么数据库就不能做太多的前期准备工作。
回答by Zugwalt
Unfortunately you cannot parameterize table names for prepared statements. If desired, you could construct a String and execute it as dynamic SQL.
不幸的是,您不能为准备好的语句参数化表名。如果需要,您可以构造一个字符串并将其作为动态 SQL 执行。
回答by duffymo
I doubt that your SQL is really infinitely flexible that way. You only have a finite number of tables, so the number of static final Strings to express the SQL you need is finite as well.
我怀疑您的 SQL 是否真的以这种方式无限灵活。您只有有限数量的表,因此用于表达您需要的 SQL 的静态最终字符串的数量也是有限的。
Continue to use PreparedStatement and bind your variables. It's totally worth it, especially helpful when avoiding SQL injection problems.
继续使用 PreparedStatement 并绑定您的变量。这是完全值得的,在避免 SQL 注入问题时尤其有用。
回答by Venkat
The mistake you did is that you cannot pass the table name as a parameter. You should only pass the values to a SQL Statement.
你犯的错误是你不能将表名作为参数传递。您应该只将值传递给 SQL 语句。
Ex: If you're wantto :
例如:如果你想:
Select * from LoggedUsers where username='whatever' and privilege='whatever';
then you've to build the PreparedStatement as :
那么你必须将 PreparedStatement 构建为:
Select * from LoggedUsers where username=? and privilege=?
setString(1, usernameObject);
setString(2, privilegeObject);
The purpose of PreparedStatement is to reduce the difficulty and readability of the database connection code.when the developer has to use so many column values with Statement's instance it's so difficult to put semicolons, commas and plus (concat operator).
PreparedStatement 的目的是降低数据库连接代码的难度和可读性。当开发人员必须在 Statement 的实例中使用如此多的列值时,很难放置分号、逗号和加号(连接运算符)。
I think you're mistakenly wanted to take advantage of it, which is not designed to be....
我认为您错误地想利用它,这不是设计为......
