如何根据用户输入(扫描仪)获取 SQL 准备语句

Posted

技术标签:

【中文标题】如何根据用户输入(扫描仪)获取 SQL 准备语句【英文标题】:How to get SQL prepared statement based on user input (scanner) 【发布时间】:2019-05-10 09:30:12 【问题描述】:

我在创建准备好的语句时遇到困难,该语句选择并打印出满足条件的行:

SELECT ReservationStartDate, ReservationEndDate FROM treservations WHERE ReservationStartDate< **?** AND ReservationEndDate> **?**

“?”用户输入 - 字符串,例如 2019-07-09 和 2019-08-16

我可以通过以下方法选择*:

public static List<Reservation> getAllReservation()
        List<Reservation> reservationsList = new ArrayList<>();
        String sql = "SELECT * FROM `treservations`";
        try
            PreparedStatement ps = ConnectorDB.connection.prepareStatement(sql);
            ResultSet resultSet = ps.executeQuery();
            while (resultSet.next())
                Reservation reservation = new Reservation();
                reservation.setReservationID(resultSet.getInt("ReservationID"));
                reservation.setCarID(resultSet.getInt("CarID"));
                reservation.setReservationStartDate(resultSet.getString("ReservationStartDate"));
                reservation.setReservationEndDate(resultSet.getString("ReservationEndDate"));
                reservation.setPesel(resultSet.getString("Pesel"));
                reservationsList.add(reservation);
            
        catch (SQLException e)
            e.printStackTrace();
        
        return reservationsList;

例如,根据扫描仪的用户输入插入新行:

public static List<Reservation> getAllReservation()
        List<Reservation> reservationsList = new ArrayList<>();
        String sql = "SELECT * FROM `treservations`";
        try
            PreparedStatement ps = ConnectorDB.connection.prepareStatement(sql);
            ResultSet resultSet = ps.executeQuery();
            while (resultSet.next())
                Reservation reservation = new Reservation();
                reservation.setReservationID(resultSet.getInt("ReservationID"));
                reservation.setCarID(resultSet.getInt("CarID"));
                reservation.setReservationStartDate(resultSet.getString("ReservationStartDate"));
                reservation.setReservationEndDate(resultSet.getString("ReservationEndDate"));
                reservation.setPesel(resultSet.getString("Pesel"));
                reservationsList.add(reservation);
            
        catch (SQLException e)
            e.printStackTrace();
        
        return reservationsList;

问题是如何结合这两种方法,并能够根据用户扫描仪输入选择数据库中的行(然后打印出来)。

我的想法: 1. 我们根据用户输入创建预订对象

    public static Reservation clientReservationMenuInput()
        Scanner scanner = new Scanner(System.in);
        String regData = "\\d4-\\d2-\\d2";
        System.out.println("2 Reservation start date (YYYY-MM-DD) ");
        String ReservationStartDate;
        while (!(ReservationStartDate=scanner.next()).matches(regData))
            System.out.printf("Date format not correct, Please try once again\n");
        
        System.out.println("3 Reservation end date (YYYY-MM-DD) ");
        String ReservationEndDate;
        while (!(ReservationEndDate=scanner.next()).matches(regData))
            System.out.printf("Date format not correct, Please try once again\n");
        
        Reservation reservation = new Reservation();
        reservation.setReservationStartDate(ReservationStartDate);
        reservation.setReservationEndDate(ReservationEndDate);
        return reservation;
    创建的对象是checkDatesForReservation方法的参数 SQL 哪里有两个参数“?”表示来自用户输入的日期 我需要 while 循环来查找所有行 最后我需要返回一个列表 
    public static List<Reservation> checkDatesForReservation(Reservation reservation)
        List<Reservation> reservationList = new ArrayList<>();
        String sql2= "SELECT ReservationStartDate, ReservationEndDate FROM treservations WHERE ReservationStartDate=? AND ReservationEndDate= ?";
        try
            PreparedStatement ps = ConnectorDB.connection.prepareStatement(sql2);
            ResultSet resultSet = ps.executeQuery();
            while (resultSet.next())
                ps.setString(1,reservation.getReservationStartDate());
                ps.setString(2,reservation.getReservationEndDate());
                reservationList.add(reservation);
            
        catch (SQLException e)
            e.getStackTrace();
        
        return reservationList;

【问题讨论】:

问题是什么?你有什么错误吗? 【参考方案1】:

请参考JDBC PreparedStatement example – Select list of the records

 public static List<Reservation> checkDatesForReservation(Reservation reservation)
        Reservation reservation = null;
        List<Reservation> reservationList = new ArrayList<>();
        String sql2= "SELECT ReservationStartDate, ReservationEndDate FROM treservations WHERE ReservationStartDate=? AND ReservationEndDate= ?";
        try
            PreparedStatement ps = ConnectorDB.connection.prepareStatement(sql2);
            ps.setString(1,reservation.getReservationStartDate());
            ps.setString(2,reservation.getReservationEndDate());
            ResultSet resultSet = ps.executeQuery();
            while (resultSet.next())
               reservation = new Reservation();
               reservation.setReservationStartDate(rs.getString("ReservationStartDate"));
               reservation.setReservationEndDate(rs.getString("ReservationEndDate"));
               reservationList.add(reservation);
            
        catch (SQLException e)
            e.getStackTrace();
        
        return reservationList;

【讨论】:

谢谢。但由于某种原因,我得到了 reservationList - 是空的。但现在我对这个解决方案很满意,需要仔细研究一下。【参考方案2】:

执行语句前需要设置参数。

        PreparedStatement ps = ConnectorDB.connection.prepareStatement(sql2);
        ps.setString(1,reservation.getReservationStartDate());
        ps.setString(2,reservation.getReservationEndDate());
        ResultSet resultSet = ps.executeQuery();
        while (resultSet.next())
            reservationList.add(reservation);

【讨论】:

以上是关于如何根据用户输入(扫描仪)获取 SQL 准备语句的主要内容,如果未能解决你的问题,请参考以下文章

准备好的语句中的动态 where 条件的 SQL 注入

如何防止sql注入攻击?

如何根据用户输入从 SQL 表中删除项目?

BIRT 中如何根据参数动态拼接 SQL

Prepare 语句的正确顺序以防止用户输入的 SQL 注入

查询语句执行的5个阶段