这个方法没有正确检查值。

huangapple go评论89阅读模式
英文:

the method does not check the value properly

问题

static boolean checkCode(String Code, Connection conn) throws SQLException {
    Statement s;
    String cc = null;
    try {
        String Statement = "SELECT Code from Courses where Code='" + Code + "'";
        s = conn.createStatement();
        ResultSet rs = s.executeQuery(Statement);
        while (rs.next()) {
            cc = rs.getString("Code");
        }

        if (Code.equalsIgnoreCase(cc))
            return true;
        else
            return false;

    } catch (SQLException e) {
    }
    return false;
}

我正在使用 switch case,但有 3 个情况无法正常工作(使用课程代码进行删除、使用课程代码进行更新以及使用课程代码查看特定课程),所以我认为问题出在 checkCode 方法中。请问是否有人可以帮忙解决?

英文:
static boolean checkCode(String Code, Connection conn) throws SQLException {
        Statement s; 
        String cc = null;
        try {
            String Statement = "SELECT Code from Courses where Code="+ Code;
            s = conn.createStatement();
            ResultSet rs = s.executeQuery(Statement);
            while (rs.next()) {
                cc = rs.getString("Code");   
            }
            
            if((Code.equalsIgnoreCase(cc)))
                return true;
            
            else
               return false;
            
        }
        catch (SQLException e) {} 
        return false;
    } 

I am using switch case and 3 cases aren't working properly ( delete using the course's code, update using the course's code, and view specific course using the course's code ) so I think the error in checkCode method. Could someone please help?

答案1

得分: 0

你正在选择一个值,其中一个值等于它本身。我只会获取匹配记录的计数。接下来,您没有关闭方法中打开的任何资源。而且,您在静默处理任何发生的异常。最后,您没有使用PreparedStatement,因此您的查询(至少乍一看)容易受到SQL注入的攻击。

类似这样,

static boolean checkCode(String Code, Connection conn) throws SQLException {
    String query = "SELECT count(*) from Courses where Code=?";
    try (PreparedStatement ps = conn.prepareStatement(query)) {
        ps.setString(1, Code);
        try (ResultSet rs = ps.executeQuery()) {
            if (rs.next()) {
                return rs.getInt(1) > 0;
            }
        }
    } catch (SQLException e) {
        e.printStackTrace();
    }
    return false;
}
英文:

You are selecting a value where a value is equal to itself. I would just get a count of matching records. Next, you aren't closing any of the resources you open in your method. And, you are silently swallowing any exceptions that occur. Finally, you aren't using PreparedStatement so your query (at least at first glance) is vulnerable to sql injection.

Something like,

static boolean checkCode(String Code, Connection conn) throws SQLException {
	String query = "SELECT count(*) from Courses where Code=?";
	try (PreparedStatement ps = conn.prepareStatement(query)) {
		ps.setString(1, Code);
		try (ResultSet rs = ps.executeQuery()) {
			if (rs.next()) {
				return rs.getInt(1) > 0;
			}
		}
	} catch (SQLException e) {
		e.printStackTrace();
	}
	return false;
}

huangapple
  • 本文由 发表于 2020年5月2日 12:48:33
  • 转载请务必保留本文链接:https://go.coder-hub.com/61554611.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定