从结果集中通过使用Java变量和SQL WHERE子句获取主键值

huangapple go评论89阅读模式
英文:

Getting primary key value from resultset by using Java variable with SQL WHERE clause

问题

我知道使用这种技术并不是一个好的实践,因为它容易受到 SQL 注入的攻击,但出于速度和测试的考虑,我目前是这样做的。我正在创建一个程序,将用户名、IP 和数据库名称保存到另一个数据库中。然而,当我尝试执行如下语句时:

ResultSet rs = stmt.executeQuery("SELECT LoginID, IPAddress FROM slavelogins WHERE IPAddress = '" + inputString + "';");
String ClientID = String.valueOf(rs.getInt(1));
System.out.println("Client ID: " + ClientID);
} catch (SQLException err) {
    System.err.println("Error retrieving client id, please continue later!" + err);
    System.exit(0);

然后我遇到一个错误,错误信息说值在 resultset 的开头之前,我相信这意味着没有从数据库中检索到数据,有没有修复这个问题的方法或绕过这个问题的方法,或者是否有我没有意识到的更简便的方法?

附注:如果 LoginID 是一个主键,是否会造成任何问题。

上面的代码检索 loginid 并将其显示给用户,格式为 'ClientID: ' + rs.getInt(1),其中 rs.getInt(1) 应该是 loginID。

我还看到过关于在预编译语句中使用占位符的帖子,但我没有看到关于普通语句中的选择查询的任何信息。

错误信息:

错误检索客户端 ID,请稍后继续!java.sql.SQLException:在结果集开始之前

英文:

I know its not great practise at all to use techniques like this as it is prone to SQL injections, but for speed and testing this is currently how I am doing it. I am creating a program which saves a username, ip and a database name to another database. However when I try and perform a statement like so:

ResultSet rs = stmt.executeQuery("SELECT LoginID, IPAddress FROM slavelogins WHERE IPAddress = '" + inputString + "';");
            String ClientID = String.valueOf(rs.getInt(1));
            System.out.println("Client ID: " + ClientID);
        } catch (SQLException err) {
            System.err.println("Error retrieving client id, please continue later!" + err);
            System.exit(0);

I then run into an error which says the value is before the start of resultset, I believe this means there is no data retrieved from the database, is there a way to fix this or a way around this or an easier way which I am not realising?

P.S LoginID is a primary key if that creates any problems.

The code above retrieves the loginid and displays it to the user as 'ClientID: ' + rs.getInt(1) where rs.getInt should be the loginID.

I have also seen posts about using placeholders in preparedstatements but I haven't seen anything regarding a select query in a normal statement.

The error message:

> Error retrieving client id, please continue later! java.sql.SQLException: Before start of result set

答案1

得分: 0

你可以将ResultSet视为对你查询的行的游标。无论它的位置如何,都可以使用next()来检查是否还有另一行,并将游标移动到该行。

结果的第一行与此无异 - ResultSet第一行之前开始,您需要使用next()移动到该行:

if (rs.next()) {
    String clientID = String.valueOf(rs.getInt(1));
    System.out.println("Client ID: " + clientID);
} else {
    System.out.println("No such client");
}
英文:

You can think of the ResultSet as a cursor over the rows you've queried. Whatever its position may be, you can use next() to check if there's another row there, and move the cursor to it.

The first row of the result is no different - a ResultSet start before the first row, and you need to use next() to move to that row:

if (rs.next()) {
    String clientID = String.valueOf(rs.getInt(1));
    System.out.println("Client ID: " + clientID);
} else {
    System.out.println("No such client");
}

huangapple
  • 本文由 发表于 2020年9月1日 03:59:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/63677429.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定