简单的执行如下语句去做数据库的插入操作是有问题的!它处理不了单引号,双引号等需要转义的字符的插入问题!
String sql = "insert into emailOriginal(id,date,subject,source,target" +
") value(\""
+ vo.getId() + "\",\""
+ vo.getDate()+"\",\""
+ vo.getSubject()+"\",\""
+ vo.getSource()+"\",\""
+ vo.getTarget()+"\");";
。。。
pstmt = dbc.getConnection().prepareStatement(sql);
。。。
pstmt.execute(sql);
会有如下错误:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'notional" stuff
经过查找发现是插入“nation”时,双引号没有经过转义!
现在修改成使用PreparedStatement,用?预处理查询条件,会避免上述简单的字符串拼接造成的转义问题。
String sql = "insert into emailOriginal(id,date,subject,source,target" +
") value(?,?,?,?,?);";
PreparedStatement pstmt = null;
try {
pstmt = dbc.getConnection().prepareStatement(sql);
pstmt.setString(1, vo.getId());
pstmt.setString(2, vo.getDate());
pstmt.setString(3, vo.getSubject());
pstmt.setString(4, vo.getSource());
pstmt.setString(5, vo.getTarget());
pstmt.execute();
//pstmt.execute(sql);
pstmt.close();
} catch (Exception e) {
e.printStackTrace();
}
其中的
pstmt.setString(1, vo.getId());
会帮助字符串转义。
可以插入如下的记录了:
+------+------+--------+--------+----------+
| id | date | source | target | subject |
+------+------+--------+--------+----------+
| id | date | source | target | "subject |
| id | date | source | target | 'subject |
+------+------+--------+--------+----------+