最近出于安全原因,我刚刚将SQL中的语句更改为准备好的语句,这就是我的想法。
不幸的是它提出了一个找不到错误
"SELECT * FROM owner WHERE username = ? AND" + "password = ?;";
整个错误:
找不到标志:
符号:方法prepareStatement(java.lang.String)
位置:HolidayExchange.DBAccess类型的变量dbAccess
我意识到当它是一个preparedstatement时,它正在查找一个String,但这就是我总是在示例等中看到它的方式。
我可能正在做一些愚蠢的事情,但是解决此问题的任何帮助都会非常有帮助!
整个方法:
DBAccess dbAccess =新的DBAccess();
String sql = "SELECT * FROM owner WHERE username = '?' AND"+
" password = '?'";
PreparedStatement ps = dbAccess.prepareStatement(sql);
ps.setString(1,u);
ps.setString(2,p);
ResultSet rs = dbAccess.executeQuery2(ps);
User user = new User();
while (rs.next()){
user.setFirstname(rs.getString("firstname"));
user.setSurname(rs.getString("surname"));
user.setUsername(rs.getString("username"));
user.setPassword(rs.getString("password"));
}
rs.close();
dbAccess.close();
if(user.getUsername().length()==0){
return null;
}else{
return user;
}
} catch (Exception e) {
return null;
}
}`
最佳答案
缺少空间
// becomes ANDpassword in the resulting string:
"SELECT * FROM owner WHERE username = ? AND" + "password = ?;";
应该
// space added before passsword:
"SELECT * FROM owner WHERE username = ? AND" + " password = ?;";