条款替代条款中的陈述?使用sql的最佳解决方案是什么?IN的实例的子句java.sql.PreparedStatement,由于sql注入攻击安全性问题,不支持多个值:一个?占位符代表一个值,而不是一个值列表。考虑以下SQL语句:SELECT my_column FROM my_table where search_column IN (?)使用preparedStatement.setString( 1, "'A', 'B', 'C'" );本质上是一种非工作的尝试,以解决使用?首先。有什么解决办法?
3 回答
慕丝7291255
TA贡献1859条经验 获得超6个赞
final PreparedStatement statement = connection.prepareStatement(
"SELECT my_column FROM my_table where search_column = ANY (?)");final String[] values =
getValues();statement.setArray(1, connection.createArrayOf("text", values));final ResultSet rs = statement.executeQuery();try {
while(rs.next()) {
// do some...
}} finally {
rs.close();}final PreparedStatement statement = connection.prepareStatement(
"SELECT my_column FROM my_table " +
"where search_column IN (SELECT * FROM unnest(?))");final String[] values = getValues();statement.
setArray(1, connection.createArrayOf("text", values));final ResultSet rs = statement.executeQuery();try {
while(rs.next()) {
// do some...
}} finally {
rs.close();}添加回答
举报
0/150
提交
取消