我有一个MySQL表,看起来像这样:
我在表单中创建了一些Textfields并将输入保存为字符串:
String name = shopname.getText();
String address = streetaddress.getText();
String city = cityname.getText();
String state = statename.getText();
String country = countryname.getText();
String zip = zipcode.getText();
String phonept1 = phonecountryid.getText();
String phonept2 = phoneareaid.getText();
String phonept3 = phoneothernumber.getText();
String phonefull = phonept2 + " " + "(" + phonept1 + ")" + " " + phonept3;
然后我做了一个INSERT方法,它与旧的SQLite数据库配合得很好:
conn = DBConnect.Connector();
stmt = conn.createStatement();
stmt.executeUpdate("INSERT INTO shopList (name,address,city,state,country,zipcode,phonefull) VALUES(" +name+ "," + address + "," + city + "," + state + "," + country + "," + zip + "," + phonefull + ")");
conn.close();
但现在它说:
SEVERE:null com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:SQL语法中有错误;查看与您的MySQL服务器版本对应的手册,以便在第1行的“(22)222222”附近使用正确的语法
有人看到语法错误吗?
PS . (22)222222是经过测试的phonefull输入 .
1 回答
试试这个(我用单引号包裹你的字符串VALUES)
edit:
通过直接传递字符串值,您将自己容易受到 SQL injections 的攻击 . 如果可能,您希望使用
PreparedStatement
对象和setString
方法 .