mysql使用参数化查询,like模糊查询,应如何拼接字符串_MySQL
bitsCN.com
mysql使用参数化查询,like模糊查询,应如何拼接字符串
好奇是学习的源动力:因为在群里潜水看到关注sql注入的讨论,尝试在自己程序的搜索框输入单引号,程序报错,开始尝试修改为参数化查询,噩梦开始了。。
搬出了毕业时写的DBHelper(很早写的使用参数化查询的操作类),替换掉程序中为了方便精简(姑且这么说吧)的DBHelper。
开始安装平常的逻辑拼接:sql += " where t.realName like '%?realName%'";//失败了,无论如何都查不出来数据。
失败原因:据说是因为'' 引号包裹了?realName,程序认为这是个字符串,不是关键字,不进行解析了。
此后我又试了类似这样的格式,各种拼接方式,
如:sql += " where t.realName like '%"+"?realName"+"%'";//想要将?realName作为参数,来让程序识别,基础不牢的弊病有暴露了,被高手指出,这明明就是拼接字符串嘛,羞愧难当。
继续请教,得出如下:sql += " where t.realName like '%'+?realName + '%'";//抛出异常,还是不行。
然后我想换一种方式,借着以前高手的思路:如果两表之间没有关系,就创造关系。//这句话对我影响很大,受益匪浅。 当时是mssql,有2,4,5,16这样的数据格式,这些数字都是另外一张表的标识列,使用charindex来进行关联。跑题了-------
我经过google查询,使用了如下sql:sql += " where instr(t.realName,?realName)>0";//能正常查询了,又有点担心某位大神说的,查询使用函数,会造成无法使用索引,造成性能下降,担忧。。
午饭后:基友Alex写来一份Sql语句,尝试下,如下:sql += " where t.realName like concat(?realName,'%')";//查询成功,这个是mysql中特有的拼接字符串的方式,着实让我蛋疼。。。题外篇:mssql是用+号拼接,oracle是用||拼接,mysql就是concat(var1,var2,.....)拼接
总结:1,虽然在前几天帮助同事用concat函数搞定了一个查询,但是到自己使用,却头脑不灵光,惭愧。
2,在毕业时,还整天写参数化查询,工作了却不断找寻偷懒的方法,人变坏了。
3,基础不牢,早晚有一天要补的,我就吃亏了。
4,关于查询中使用函数是否会造成索引失效,有待高手回答。
5,mysql中有个全文检索,貌似是鸡肋。
bitsCN.com
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1382
52
MySQL: Simple Concepts for Easy Learning
Apr 10, 2025 am 09:29 AM
MySQL is an open source relational database management system. 1) Create database and tables: Use the CREATEDATABASE and CREATETABLE commands. 2) Basic operations: INSERT, UPDATE, DELETE and SELECT. 3) Advanced operations: JOIN, subquery and transaction processing. 4) Debugging skills: Check syntax, data type and permissions. 5) Optimization suggestions: Use indexes, avoid SELECT* and use transactions.
How to open phpmyadmin
Apr 10, 2025 pm 10:51 PM
You can open phpMyAdmin through the following steps: 1. Log in to the website control panel; 2. Find and click the phpMyAdmin icon; 3. Enter MySQL credentials; 4. Click "Login".
MySQL: An Introduction to the World's Most Popular Database
Apr 12, 2025 am 12:18 AM
MySQL is an open source relational database management system, mainly used to store and retrieve data quickly and reliably. Its working principle includes client requests, query resolution, execution of queries and return results. Examples of usage include creating tables, inserting and querying data, and advanced features such as JOIN operations. Common errors involve SQL syntax, data types, and permissions, and optimization suggestions include the use of indexes, optimized queries, and partitioning of tables.
Why Use MySQL? Benefits and Advantages
Apr 12, 2025 am 12:17 AM
MySQL is chosen for its performance, reliability, ease of use, and community support. 1.MySQL provides efficient data storage and retrieval functions, supporting multiple data types and advanced query operations. 2. Adopt client-server architecture and multiple storage engines to support transaction and query optimization. 3. Easy to use, supports a variety of operating systems and programming languages. 4. Have strong community support and provide rich resources and solutions.
How to use single threaded redis
Apr 10, 2025 pm 07:12 PM
Redis uses a single threaded architecture to provide high performance, simplicity, and consistency. It utilizes I/O multiplexing, event loops, non-blocking I/O, and shared memory to improve concurrency, but with limitations of concurrency limitations, single point of failure, and unsuitable for write-intensive workloads.
MySQL and SQL: Essential Skills for Developers
Apr 10, 2025 am 09:30 AM
MySQL and SQL are essential skills for developers. 1.MySQL is an open source relational database management system, and SQL is the standard language used to manage and operate databases. 2.MySQL supports multiple storage engines through efficient data storage and retrieval functions, and SQL completes complex data operations through simple statements. 3. Examples of usage include basic queries and advanced queries, such as filtering and sorting by condition. 4. Common errors include syntax errors and performance issues, which can be optimized by checking SQL statements and using EXPLAIN commands. 5. Performance optimization techniques include using indexes, avoiding full table scanning, optimizing JOIN operations and improving code readability.
MySQL's Place: Databases and Programming
Apr 13, 2025 am 12:18 AM
MySQL's position in databases and programming is very important. It is an open source relational database management system that is widely used in various application scenarios. 1) MySQL provides efficient data storage, organization and retrieval functions, supporting Web, mobile and enterprise-level systems. 2) It uses a client-server architecture, supports multiple storage engines and index optimization. 3) Basic usages include creating tables and inserting data, and advanced usages involve multi-table JOINs and complex queries. 4) Frequently asked questions such as SQL syntax errors and performance issues can be debugged through the EXPLAIN command and slow query log. 5) Performance optimization methods include rational use of indexes, optimized query and use of caches. Best practices include using transactions and PreparedStatemen
How to build a SQL database
Apr 09, 2025 pm 04:24 PM
Building an SQL database involves 10 steps: selecting DBMS; installing DBMS; creating a database; creating a table; inserting data; retrieving data; updating data; deleting data; managing users; backing up the database.
