我試圖從春季安全登錄頁面將用戶名傳遞給一個名爲Timetables的頁面用來顯示數據庫表的mysql選擇。該頁面應該只顯示與某個用戶有關的數據。'where子句'中的Spring未知列
但是不管我怎麼努力,我得到一個500錯誤說
nested exception is java.sql.SQLSyntaxErrorException: Unknown column 'admin1' in 'where clause'
ADMIN1是用來登錄的用戶名。
我試着System.out.println(logininame);
測試變量,它是的確是一個字符串
我試過了幾個技巧,但唯一可行的是如果我手動添加''admin1''在字符串的末尾。由於我有多個用戶不是解決方案。
任何想法,我可能會得到它的錯誤。該錯誤發生在服務類中的sql字符串的末尾。
控制器,它讀取用戶名
@Controller
public class TimetableController {
@Autowired
TimetableService service;
@Autowired
AssignmentsService serv;
@RequestMapping(value = {"/Timetable"}, method = RequestMethod.GET)
public String index(Model md){
org.springframework.security.core.Authentication auth = SecurityContextHolder.getContext().getAuthentication();
System.out.println(auth.getName());
String loginname = auth.getName();
md.addAttribute("timetables", service.findAll(loginname));
return "Timetable";
}
//request for adding new entry
}
與查詢
@Service
public class TimetableService {
@Autowired
JdbcTemplate template;
public List<Timetable> findAll(String loginname) {
// System.out.println(loginname);
// String test = "admin1";
String sql = " SELECT timetables.timetableId, timetables.assignmentId, timetables.date, " +
"timetables.hoursWorked, users.username, projects.projectName FROM timetables" +
" INNER join assignments on assignments.assignmentId = timetables.assignmentId" +
" INNER JOIN users on users.userId = assignments.userId" +
" INNER JOIN projects on assignments.projectId = projects.projectId where username=" + loginname;
RowMapper<Timetable> rm = new RowMapper<Timetable>() {
@Override
public Timetable mapRow(ResultSet resultSet, int i) throws SQLException {
Timetable timetable = new Timetable(resultSet.getInt("timetableId"),
resultSet.getInt("assignmentId"),
resultSet.getDate("date"),
resultSet.getInt("hoursWorked"));
return timetable;
}
};
return template.query(sql, rm);
}
表從Timetable.html
<table class="table table-bordered">
<thead>
<tr>
<th>id</th>
<th>project</th>
<th>date</th>
<th>number of hours</th>
</tr>
</thead>
<tbody>
<tr th:each = "obj: ${timetables}">
<td th:text="${obj.timetableId}">45</td>
<td th:value="${obj.assignmentId}">vasi</td>
<td th:text="${obj.date}"></td>1 ian</td>
<td th:text="${obj.hoursWorked}"></td>
</tr>
</tbody>
</table>
**容易受到SQL注入** – holmis83