我正在编写代码,在其中创建 JDBC 连接并执行 select 语句。我想作为一个 jar 运行并从命令行为 eg 的 where 条件提供输入java -jar abc.jar "abc"。如何才能做到这一点?try { strExecuteQuery = "select b.FIUSB_REQUEST_MESSAGE,b.FIUSB_RESPONSE_MESSAGE,a.fiusb_tran_id,a.FIUSB_SRV_REQ_TYPE" + " from fimaster.fiusb_transaction_tablehist a ,fimaster.FIUSB_TRANDETAILS_TABLE_HIST b" + " where a.fiusb_tran_id = b.fiusb_tran_id and a.FIUSB_SRV_REQ_TYPE in('XferTrnRev','XferTrnAdd','PmtAdd') and a.fe_req_ref_num='args1'"; //PreparedStatement stmt=con.prepareStatement(strExecuteQuery); //strExecuteQuery.getClass(); ddlStatement.execute(strExecuteQuery); ddlStatement.closeConnection();我想把上面代码中的args1作为命令行中的输入
2 回答
茅侃侃
TA贡献1842条经验 获得超21个赞
简单(而且不安全!)的方法是这样的:
// package declaration
// imports
public class Main {
public static void main(String[] args) {
if (args.length >= 1) {
String query = "select FOO from BLAH a where a.BAZ = '"
+ args[0] + "'";
Connection connection = ...
Statement statement = connection.createStatement();
ResultSet rs = statement.execute(query);
// etcetera
} else {
// report missing command line argument.
}
}
}
问题是通过字符串连接组装 SQL 查询容易受到SQL 注入攻击。特别是当某些“参数”可能来自不可信的来源时。
因此,更好(更安全)的方法是使用PreparedStatement, 及其语法安全的参数替换机制:
// package declaration
// imports
public class Main {
public static void main(String[] args) {
if (args.length >= 1) {
String query = "select FOO from BLAH a where a.BAZ = ?";
Connection connection = ...
PreparedStatement statement = connection.createPreparedStatement(query);
statement.setString(1, args[0]);
ResultSet rs = statement.execute();
// etcetera
} else {
// report missing command line argument.
}
}
}
添加回答
举报
0/150
提交
取消