无法在 JDBC PreparedStatement 上的单引号内转义参数

Question

我想通过 JDBC 进行这样的查询（注意它包含一些 postgis 函数）：

SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT(-5.8340534 43.3581991)'), 1000000);

所以我将查询参数化为：

SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT(? ?)'), ?);

问题是执行preparedStament时找不到前2个参数，因为它们在单引号内，所以报错。

我也尝试用 \' 转义单引号但没有成功：

SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText(\'SRID=4326;POINT(? ?)\'), ?);

目前，作为一种解决方法，我没有绑定参数，只是将查询字符串附加到它们上，但这很容易受到 SQL 注入的影响，所以我只想知道是否有任何方法可以转义该语句参数绑定工作。

Answer 1

问自己，我正在使用字符串 concat：

"SELECT id, name, ST_Y(location::geometry) as latitude, ST_X(location::geometry) as longitude, category_group, category 
FROM pois 
WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT(' || ? || ' ' || ? || ')'), ?);"

Answer 2

作为一个幼稚的答案....

您可以在查询之前分配参数，然后将其与查询连接 例如：

Scanner scan = new Scanner(System.in); //don't forget to import java.util package
String par1 = scan.nextLine();
String par2 = scan.nextLine();

稍后

String query = "SELECT id, name, ST_Y(location::geometry) as latitude, " + 
    "ST_X(location::geometry) as longitude, category_group, category " +
    "FROM pois " +
    "WHERE ST_DWithin(location, ST_GeographyFromText('SRID=4326;POINT("+par1+" "+par2+")'), ?)"; 

现在将此查询传递给查询创建语句