我正在使用PreparedStatement
在SQL中编写一些代码以帮助进行SQL注入。Java中的PreparedStatement包含数据库和列名称的变量
例子:
stm = c.prepareStatement("UPDATE "
+ listResults.get(i).get(TemplateFile.TYPEOFPLAY).toLowerCase()
+ " SET score=? WHERE player_name_fkey=? AND school_name_fkey=? AND tournament_number=?;");
stm.setInt(1, Utilities.readNumber(listResults.get(i).get(TemplateFile.TOURNAMENT + j - 1)));
stm.setString(2, listResults.get(i).get(TemplateFile.NAME));
stm.setString(3, listResults.get(i).get(TemplateFile.SCHOOL_NAME));
stm.setInt(4, j);
我的问题是:有没有办法让PreparedStatement对象允许参数(签名了吗?)要用于数据库名称和列。 例如:
stm = c.prepareStatement("UPDATE ? SET score=? WHERE player_name_fkey=? AND school_name_fkey=? AND tournament_number=?;");
stm.setString(1, listResults.get(i).get(TemplateFile.TYPEOFPLAY).toLowerCase());
stm.setInt(2, Utilities.readNumber(listResults.get(i).get(TemplateFile.TOURNAMENT + j - 1)));
stm.setString(3, listResults.get(i).get(TemplateFile.NAME));
stm.setString(4, listResults.get(i).get(TemplateFile.SCHOOL_NAME));
stm.setInt(5, j);
它看起来好多了,并且更容易读为好。
在此先感谢您的帮助!
谢谢你给出了非常有益的答案! –