problem caused by single quotes in select query
public void getExp(String bool_expression,int groupId,int expLevel){
List<String> list=new ArrayList<String>();
List<String> nextExpressionList = new ArrayList<String>();
try{
ResultSet resultSet=null;
String sqlString = null;
Statement stmt = null;
if(expLevel==1){
System.out.println("explevel---"+expLevel+"group Id --"+groupId);
sqlString ="select bool_expression from LNP_ENG_EXPRESSIONS where fk_group="+groupId+" and expression_level="+expLevel+"";
stmt =connection.createStatement();
resultSet= stmt.executeQuery(sqlString);
while(resultSet.next()){
nextExpressionList.add(resultSet.getString(1));
System.ou开发者_StackOverflow中文版t.println("expression -- "+ resultSet.getString(1));
}
}
if(expLevel > 1 ){
System.out.println("bool_ expression --"+bool_expression);
String sql = "select distinct variable_name from LNP_ENG_VARIABLES where id IN "+
"(select fk_variable_id from LNP_ENG_QUESTIONS where question_code IN "+
"( select Question_code from LNP_APP_QUESTIONS where id IN "+
"(select fk_question_id from LNP_ENG_ASC_QUESTION_EXP where FK_EXP_ID IN"+
"(select id from LNP_ENG_EXPRESSIONS where bool_expression = '"+bool_expression+"'"+"and fk_group="+groupId+" and expression_level="+(expLevel-1)+"))))";
System.out.println("1");
stmt =connection.createStatement();
resultSet=stmt.executeQuery(sql);
while(resultSet.next()){
list.add(resultSet.getString(1));
System.out.println("list --"+resultSet.getString(1));
}
for(int i=0;1<list.size();i++){
sqlString = "select distinct bool_expression from LNP_ENG_EXPRESSIONS where "+
"bool_expression like '%"+list.get(i)+"%' and expression_level="+expLevel+" and fk_group="+groupId+"";
resultSet = stmt.executeQuery(sqlString);
while(resultSet.next()){
nextExpressionList.add(resultSet.getString(1));
System.out.println("expression -- "+ nextExpressionList.get(i));
}
}
}
}
catch (Exception e) {
// TODO: handle exception
}
}
public static void main(String args[]){
ExpressionBuilder builder=new ExpressionBuilder();
builder.getExp("Industry='NO'", 1, 2);
}
Getting error in i pass bool_expression as Industry='NO' to the sql query.
that error is because of single quotes '' . But i am not able to resolve it.
It's easy - use PreparedStatement and let it escape the Strings properly for you.
While it doesn't explain your problem, I don't like your code very much. It's getting too big. I'd refactor by creating a separate DAO interface with three methods, one for each of the queries you're executing. I'd make those query Strings static final constants in the DAO implementation class. I'd test this separately. When it was working perfectly I'd give the object that's checking the experience level a reference to a DAO and have it call its methods rather than embedding all that database logic in one class.
It's called "decomposition". It'll help you manage your problem as it gets larger.
Something like this:
package persistance;
public interface FooDao
{
List<Foo> find(String name);
}
public class FooDaoImpl implements FooDao
{
public static final String FIND_BY_NAME_SQL = "SELECT * FROM Foo WHERE name = ?";
private DataSource dataSource;
public Foo(DataSource dataSource)
{
this.dataSource = dataSource;
}
public List<Foo> find(String name)
{
List<Foo> result = new ArrayList<Foo>();
PreparedStatement ps = null;
ResultSet rs = null;
try
{
ps = this.dataSource.getConnection().prepareStatement(FIND_BY_NAME_SQL);
ps.setString(1, name);
rs = ps.executeQuery();
while (rs.hasNext())
{
// Map row into Foo and add it to the List
result.add(foo);
}
}
catch (SQLException e)
{
throw new RuntimeException(e);
}
finally
{
close(rs);
close(ps);
}
}
}
This is covered in the other post but I want to highlight that "problem with single quotes" is pretty much a synonym for "open to SQL injection"
加载中,请稍侯......
精彩评论