public void updateRecord(String[] values) { String sql = ""; String whereSQL = ""; try { for (int i = 0; i < values.length; i++) { Vector keyFields = getKeyFields(); if (rsmd.getColumnType(i + 1) == Types.VARCHAR || rsmd.getColumnType(i + 1) == Types.TIMESTAMP) { sql += rsmd.getColumnName(i + 1) + "='" + values[i] + "'"; if (keyFields.contains(rsmd.getColumnName(i + 1))) whereSQL += rsmd.getColumnName(i + 1) + "='" + values[i] + "'"; } else { sql += rsmd.getColumnName(i + 1) + "=" + values[i] + ""; if (keyFields.contains(rsmd.getColumnName(i + 1))) whereSQL += rsmd.getColumnName(i + 1) + "=" + values[i]; } if (i < values.length - 1) sql += ","; } Statement updateStm = con.createStatement(); updateStm.executeUpdate("update " + table + " set " + sql + " where " + whereSQL); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); }这段代码有没有问题?
时间: 2024-01-18 21:03:16 浏览: 19
这段代码依然存在问题,因为它使用字符串拼接的方式生成 SQL 语句,容易受到 SQL 注入攻击。建议使用参数化查询的方式,如下所示:
```
public void updateRecord(String[] values) {
String sql = "";
String whereSQL = "";
try {
for (int i = 0; i < values.length; i++) {
Vector keyFields = getKeyFields();
if (rsmd.getColumnType(i + 1) == Types.VARCHAR || rsmd.getColumnType(i + 1) == Types.TIMESTAMP) {
sql += rsmd.getColumnName(i + 1) + "= ?";
if (keyFields.contains(rsmd.getColumnName(i + 1)))
whereSQL += rsmd.getColumnName(i + 1) + "= ?";
} else {
sql += rsmd.getColumnName(i + 1) + "= ?";
if (keyFields.contains(rsmd.getColumnName(i + 1)))
whereSQL += rsmd.getColumnName(i + 1) + "= ?";
}
if (i < values.length - 1)
sql += ",";
}
PreparedStatement updateStm = con.prepareStatement("update " + table + " set " + sql + " where " + whereSQL);
int index = 1;
for (int i = 0; i < values.length; i++) {
if (rsmd.getColumnType(i + 1) == Types.VARCHAR || rsmd.getColumnType(i + 1) == Types.TIMESTAMP) {
updateStm.setString(index, values[i]);
} else {
updateStm.setInt(index, Integer.parseInt(values[i]));
}
index++;
}
for (int i = 0; i < values.length; i++) {
if (rsmd.getColumnType(i + 1) == Types.VARCHAR || rsmd.getColumnType(i + 1) == Types.TIMESTAMP) {
if (keyFields.contains(rsmd.getColumnName(i + 1)))
updateStm.setString(index, values[i]);
} else {
if (keyFields.contains(rsmd.getColumnName(i + 1)))
updateStm.setInt(index, Integer.parseInt(values[i]));
}
index++;
}
updateStm.executeUpdate();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
```
这里使用了 `PreparedStatement` 对象,并将查询参数化,从而避免了 SQL 注入攻击。