日期:2014-05-20  浏览次数:20788 次

关于JAVA的SQL转义问题,请高手来解决
Java code
public static void update (Products aProduct)
    {
        Statement aStatement=null;
        String strSQL="UPDATE Products SET";
        strSQL+=" ProductName="+"'"+aProduct.getProductName()+"'"+",";
        strSQL+=" SupplierID="+aProduct.getSupplierID()+",";
        strSQL+=" CategoryID="+aProduct.getCateGoryID()+",";
        strSQL+=" QuantityPerUnit="+"'"+aProduct.getQuantityPerUnit()+"'"+",";
        strSQL+=" UnitPrice="+aProduct.getUnitPrice()+",";
        strSQL+=" UnitsInStock="+aProduct.getUnitsInStock()+",";
        strSQL+=" UnitsOnOrder="+aProduct.getUnitsOnOrder()+",";
        strSQL+=" ReorderLevel="+aProduct.getReorderLevel()+",";
        strSQL+=" Discontinued="+(aProduct.getDiscontinued()?1:0);
        strSQL+=" WHERE ProductID="+aProduct.getProductID();
        try
        {
            getDBConnection();
            aStatement=aConnection.createStatement();
            
            aStatement.executeUpdate(strSQL);
            
        }
        catch(SQLException e)
        {
            JOptionPane.showMessageDialog(null, e.getMessage(),"Error",JOptionPane.ERROR_MESSAGE);
            
        }
        finally
        {
            closeStatement(aStatement);
            closeConnection();
            System.out.println(strSQL);
        }
    }

现在的问题是我想更新数据库里的ProductName="a'b",其中包含"'"单引号无法插入,数据库报错。请问有什么就简单的办法完整特殊字符的转义。

------解决方案--------------------
Java code

public static void update (Products aProduct)
    {
        PreparedStatement aStatement=null;

        String strSQL="UPDATE Products SET";
        strSQL+=" ProductName=?,";
        strSQL+=" SupplierID=?,";
        strSQL+=" CategoryID=?,";
        strSQL+=" QuantityPerUnit=?,";
        strSQL+=" UnitPrice=?,";
        strSQL+=" UnitsInStock=?,";
        strSQL+=" UnitsOnOrder=?,";
        strSQL+=" ReorderLevel=?,";
        strSQL+=" Discontinued=?";
        strSQL+=" WHERE ProductID=?";
        try
        {
            getDBConnection();
            aStatement=aConnection.preparedStatement(strSQL);
            int parameterIndex=1;
            aStatement.setString(parameterIndex, aProduct.getProductName());
            parameterIndex++;
            aStatement.setInt(parameterIndex, aProduct.getSupplierID());
            parameterIndex++;
            aStatement.setInt(parameterIndex, aProduct.getCateGoryID());
            parameterIndex++;
            aStatement.setString(parameterIndex, aProduct.getQuantityPerUnit());
            parameterIndex++;
            aStatement.setDouble(parameterIndex, aProduct.getUnitPrice());
            parameterIndex++;
            aStatement.setInt(parameterIndex, aProduct.getUnitsInStock());
            parameterIndex++;
            aStatement.setInt(parameterIndex, aProduct.getUnitsOnOrder());
            parameterIndex++;
            aStatement.setInt(parameterIndex, aProduct.getReorderLevel());
            parameterIndex++;
            aStatement.setInt(parameterIndex, (aProduct.getDiscontinued()?1:0));
            parameterIndex++;
            aStatement.setInt(parameterIndex, aProduct.getProductID());
            parameterIndex++;
            aStatement.executeUpdate();
            
        }
        catch(SQLException e)
        {
            JOptionPane.showMessageDialog(null, e.getMessage(),"Error",JOptionPane.ERROR_MESSAGE);
            
        }
        finally
        {
            closeStatement(aStatement);
            closeConnection();
            System.out.println(strSQL);
        }
    }