String sqlStr = "select uname,upwd from yonghuxinxi where" + "uname = '?' and upwd = '?'";
时间: 2024-05-03 10:17:19 浏览: 7
这个 SQL 语句的问题在于,你在字符串中使用了问号作为占位符,但是没有使用 PreparedStatement 对象来执行 SQL 语句。正确的写法应该是:
```
String sqlStr = "select uname, upwd from yonghuxinxi where uname = ? and upwd = ?";
PreparedStatement pstmt = conn.prepareStatement(sqlStr);
pstmt.setString(1, "用户名");
pstmt.setString(2, "密码");
ResultSet rs = pstmt.executeQuery();
```
这样可以避免 SQL 注入攻击,并且能够正确地将参数传递给 SQL 语句。
相关问题
改进代码if startT == "" || endT == "" { sqlstr = "" } else { var buf bytes.Buffer fmt.Fprintf(&buf, "AND created_at BETWEEN %s AND %s", startT, endT) sqlstr = buf.String() } res := common.DB.Raw("SELECT * FROM(SELECT id,created_at,type,source,explanation,label,location,facility_id,pm_id FROM flaws WHERE facility_id = ? "+sqlstr, "UNION SELECT id,created_at,type,source,explanation,label,location,facility_id,pm_id FROM issues WHERE facility_id = ? "+sqlstr, "UNION SELECT id,created_at,type,source,explanation,label,location,facility_id,pm_id FROM records WHERE facility_id = ? "+sqlstr, "UNION SELECT id,created_at,type,source,explanation,label,location,facility_id,pm_id FROM qualities WHERE facility_id = ? "+sqlstr, "UNION SELECT id,created_at,type,source,explanation,label,location,facility_id,pm_id FROM inspections WHERE facility_id = ?)"+sqlstr, "AS combined_tables LIMIT ? OFFSET ?", code, code, code, code, code, pageSize, offset).Find(&req)
这段代码已经比较简洁和清晰,但还可以做一些改进。下面是一些可能的改进方向:
1. 使用预处理语句避免 SQL 注入漏洞。在 Go 语言中,可以使用 database/sql 包中的 Prepare 和 Exec 函数来执行预处理语句,这样可以避免 SQL 注入漏洞。
2. 使用常量或变量来存储查询语句的模板,避免在代码中硬编码 SQL 查询语句。这样可以提高代码的可读性和可维护性。
3. 将查询语句和查询参数分开处理,避免将查询参数直接拼接到查询语句中,提高代码的可读性和可维护性。
4. 对于大型的 SQL 查询语句,可以使用多行字符串来存储查询语句,提高代码的可读性。例如:
```
sql := `SELECT *
FROM table1
JOIN table2 ON table2.id = table1.table2_id
WHERE table1.id = ?`
```
5. 使用结构体来存储查询参数,提高代码的可读性和可维护性。例如:
```
type QueryParams struct {
Code string
StartT string
EndT string
PageSize int
Offset int
}
func GetQueryResults(params QueryParams) ([]Record, error) {
// ...
}
```
public Modife queryVerify(Modife modifeModel) { String id = modifeModel.getID(); String pw = modifeModel.getPassword(); String npw = modifeModel.getnPassword(); String sqlStr ="select id,password from register where "+ "id = ? and password = ?"; try { preSql = con.prepareStatement(sqlStr); preSql.setString(1,id); preSql.setString(2,pw); rs = preSql.executeQuery(); if(rs.next()==true) { modifeModel.setLoginSuccess(true); JOptionPane.showMessageDialog(null,"登录成功", "恭喜",JOptionPane.WARNING_MESSAGE); } else { modifeModel.setLoginSuccess(false); JOptionPane.showMessageDialog(null,"登录失败", "登录失败,重新登录",JOptionPane.WARNING_MESSAGE); } con.close(); } catch(SQLException e) {} return modifeModel; } } 如果if语句判断成功后怎么才能将第二行的值pw修改为npw?
可以在if语句块中添加修改密码的代码,如下:
```
if(rs.next()==true) {
preSql = con.prepareStatement("UPDATE register SET password=? WHERE id=?");
preSql.setString(1, npw);
preSql.setString(2, id);
preSql.executeUpdate();
modifeModel.setLoginSuccess(true);
JOptionPane.showMessageDialog(null,"登录成功","恭喜",JOptionPane.WARNING_MESSAGE);
}
```
其中,我们新建了一个PreparedStatement对象,使用UPDATE语句将指定id的密码修改为npw,并使用setString方法设置参数值,最后使用executeUpdate方法执行更新操作。注意,这里的id需要是登录成功后的id。