下面显示的代码用于搜索工作清单,并添加了准备好的语句,以防止SQL注入也容易受到攻击。查询语句搜索在添加准备好的语句之前起作用,但是现在不返回任何内容。谁能看到我在做什么错?谢谢。先前的代码如下所示:
try (Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/SQL_DB", "root", "root"); Statement stmt = con.createStatement()) {
rs = stmt.executeQuery(queryStatement);
代码现在看起来像这样:
public List<jobs> searchjobs(@RequestParam String query) {
log.debug("REST request to search jobs for query {}", query);
String queryStatement = "SELECT * FROM jobs WHERE description like '%" + query + "%'";
log.info("Final SQL query {}", queryStatement);
ResultSet rs = null;
try (Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/SQL_DB", "root", "root");
PreparedStatement stmt = con.prepareStatement(queryStatement)) {
stmt.setString(1, query);
rs = stmt.executeQuery(queryStatement);
return extractjobs(rs);
} catch (SQLException ex) {
log.error(ex.getMessage(), ex);
return new ArrayList();
} finally {
try {
if (rs != null) {
rs.close();
}
} catch (SQLException ex) {
log.error(ex.getMessage(), ex);
}
}
}
您错过了准备好的陈述的要点。使用它时,您正在用占位符替换所有变量像这样
String queryStatement = "SELECT * FROM jobs WHERE description like ?";
然后您可以像以前那样绑定查询变量。只需先添加这些百分比字符]
query = "%" + query + "%";