mySQL PreparedStatement 与 JAVA 中的语句 [重复]

Question

在我的程序中，我必须更新数据库中的数据。为此，我创建了一个 UPDATE 语句。只有更改的文本字段才应该更新。这是我程序的重要部分：

String update = "UPDATE members set " + TFArray[i].getUserData().toString() +" = \"" + TFArray[i].getText() +"\" WHERE MemberNr = " + m.getMemberNr() + ";";
System.out.println(update);
statement = DBConnection.connection.createStatement();
statement.executeUpdate(update);
DBConnection.connection.setAutoCommit(false); 
DBConnection.connection.commit();
DBConnection.connection.setAutoCommit(true);

这非常有效。但是对于一般的 UPDATE 语句，我想使用这样的准备好的语句：

String update = "UPDATE members SET ? = \" ? \" WHERE MEMBERNR = ?;";
ps = DBConnection.connection.prepareStatement(update);
ps.setString(1, TFArray[i].getUserData().toString()); 
ps.setString(2, TFArray[i].getText()); 
ps.setString(3, m.getMemberNr()); 
ps.addBatch(); 
DBConnection.connection.setAutoCommit(false); 
ps.executeBatch(); 
DBConnection.connection.setAutoCommit(true); 

有了这个字符串，我得到一个异常，指出参数超出范围 (3 > 2)。

有人有想法吗？

Answer 1

您不能绑定列名。所以代码应该是这样的（小心sql注入！）：

  String update = "UPDATE members SET " + TFArray[i].getUserData().toString() + " = ? WHERE MEMBERNR = ?";
  ps = DBConnection.connection.prepareStatement(update);
  ps.setString(1,TFArray[i].getText()); 
  ps.setString(2,m.getMemberNr()); 
  ps.addBatch(); 
  DBConnection.connection.setAutoCommit(false); 
  ps.executeBatch(); 
  DBConnection.connection.setAutoCommit(true); 

Answer 2

准备好的语句参数仅适用于查询值而不是列名。由于SQL Injection的风险，应避免字符串连接

String update = "UPDATE members SET FIELD = ? WHERE MEMBERNR = ?";