Java 和 MySQL 插入语句

Question

我刚从 JBDC 开始。我需要创建一个 Java/MySQL 插入语句，该语句插入 null、字符串和解析为 int 的字符串（作为用户使用 Scanner 的输入）。我尝试了很多可能性，但到目前为止没有任何效果。编写这样的插入语句的正确方法是什么，或者我应该考虑其他推荐的方法？ 感谢您的帮助！

import java.util.ArrayList;
import java.util.Scanner;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class AddBook {

    static Scanner keyboard = new Scanner(System.in);

    static InvMenu invmenu = new InvMenu();
    static MainMenu mainmenu = new MainMenu();

    static boolean b = true;
    static int x;
    static double y;
    static double z;
    static String choice;
    static char letter;

    public static void addBook(){

        Connection conn = null;
        Statement stmt = null;
        ResultSet rs = null;


        System.out.println("+----------------+");
        System.out.println("| Add a Book     |");
        System.out.println("+----------------+\n");

        System.out.print("\nEnter ISBN number: "); 
        String isbn = keyboard.next();

        System.out.print("Enter Book Title: "); 
        String title = keyboard.next();

        System.out.print("Enter Author's name: "); 
        String author = keyboard.next();

        System.out.print("Enter Publisher's name: "); 
        String publisher = keyboard.next();

        System.out.print("Enter The Date the Book is Added to the Inventory (MM/DD/YYYY): "); 
        String dateAdded = keyboard.next();

        do{

            b = true;
            System.out.print("Enter The Quantity of Book Being Added: ");
            String qtyOnHand = keyboard.next();

            try {

                x = Integer.parseInt(qtyOnHand);

            }

            catch(NumberFormatException nFE) {

                b = false;
                System.out.println();
                System.out.println("--------------------------------------------------------");
                System.out.println(" !!!   You did not enter a valid value. Try again   !!!");
                System.out.println("--------------------------------------------------------");
                System.out.println();

            }

        }while(b == false);

        do{

            b = true;
            System.out.print("Enter The Wholesale Cost of the Book: ");
            String wholesale = keyboard.next();

            try {

                y = Double.parseDouble(wholesale);

            }

            catch(NumberFormatException nFE) {

                b = false;
                System.out.println("--------------------------------");
                System.out.println(" !   Wrong Value. Try again   !");
                System.out.println("--------------------------------\n");

            }

        }while(b == false);

        do{

            b = true;
            System.out.print("Enter The Retail Price of the Book: ");
            String retail = keyboard.next();

            try {

                z = Double.parseDouble(retail);

            }

            catch(NumberFormatException nFE) {

                b = false;
                System.out.println("--------------------------------");
                System.out.println(" !   Wrong Value. Try again   !");
                System.out.println("--------------------------------\n");

            }

        }while(b == false);

        System.out.println("-------------------------------------------");
        System.out.println("ISBN number: " + isbn);
        System.out.println("Book Title: " + title);
        System.out.println("Author's name: " + author);
        System.out.println("Publisher's name: " + publisher);
        System.out.println("The Date the Book is Added to the Inventory (MM/DD/YYYY): " + dateAdded);
        System.out.println("The Quantity of Book Being Added: " + x);
        System.out.printf("The Wholesale Cost of the Book: $ %6.2f\n", y);
        System.out.printf("The Retail Price of the Book: $ %6.2f\n", z);
        System.out.println("-------------------------------------------\n");

        try {

            Class.forName("com.mysql.jdbc.Driver").newInstance();

            String connectionUrl = "jdbc:mysql://localhost:3306/serendipity";
            String connectionUser = "root";
            String connectionPassword = "password";
            conn = DriverManager.getConnection(connectionUrl, connectionUser, connectionPassword);
            stmt = conn.createStatement();

            stmt.executeUpdate("INSERT INTO books(book_id, isbn, title, author, publisher, dateAdded, qtyOnHand, wholesale, retail) VALUES ('"+null+ "','"  +isbn+ " ','" +title+ " ',' "  +author+ " ',' " +publisher+ " ',' " +dateAdded+ " ',' " +x+ " ',' " +y+ " ',' " +z+" ')");


        } 

        catch (Exception e) {

            e.printStackTrace();

        } 

        finally {

            try { 

                if (rs != null) rs.close(); 

            } 

            catch (SQLException e) { 

                e.printStackTrace(); 

            }

            try { 

                if (stmt != null) stmt.close(); 

            } 

            catch (SQLException e) { 

                e.printStackTrace(); 

            }

            try { 

                if (conn != null) conn.close(); 

            } catch (SQLException e) { 

                e.printStackTrace(); 

            }

                System.out.println("+------------------------------------+");
                System.out.println("| The Book is Added to the Inventory |");
                System.out.println("+------------------------------------+\n"); 

        }

    }

}

Answer 1

您可能需要考虑使用PreparedStatement 并使用setNull() 插入null。

原始 SQL 语句容易受到 SQL 注入攻击。

请参阅此example 以了解有关如何使用 setNull 的更多信息

Answer 2

您确定连接正常吗？那么，你可以考虑使用preQueryStatement

这是一个小例子：

    cnnct = getConnection();
    String preQueryStatement = "INSERT  INTO  CUSTOMER  VALUES  (?,?,?,?)";
    pStmnt = cnnct.prepareStatement(preQueryStatement);
    pStmnt.setString(1, CustId);
    pStmnt.setString(2, Name);
    pStmnt.setString(3, Tel);
    pStmnt.setInt(4, Age);