使用預準備語句的MySQL版本錯誤

Question

我正在使用準備好的語句來保護從sql注入攻擊我的sql查詢。聲明在另一篇文章中提出，我按照指示執行。當更新查詢運行時，我現在得到一個錯誤。它只在我的程序中出現幾個步驟。這裏是代碼的一部分和詳細說明錯誤的註釋區域。如果我需要發佈整個程序，請告訴我。

下面是摘錄：

String updateQuery ="" + " Update student" 
       + "Set firstname = ?, " 
       + "  lastname = ?, " 
       + "  gpa = ? " 
       + "  status = ?, " 
       + "  mentor = ?, " 
       + "  level = ?, " 
       + "  thesisTitle = ?, " 
       + "  thesisAdvisor = ?, " 
       + "  company = ?, " 
       + "Where studentid = ? "; 
      //This seems to work right up to set #7, then the program errors out. It indicates a syntax error that I cannot find? 
      // I wonder if the error is version dependant? Error points to MySQL version for correct syntax to use near '= ?, that would be right after firstName. 

     PreparedStatement pstmt = conn.prepareStatement(updateQuery); //to protect against SQL injection attacks 
      pstmt.setString(1,firstName); 
      pstmt.setString(2,lastName); 
      pstmt.setDouble(3,gpa); 
      pstmt.setString(4,status); 
      pstmt.setString(5,mentor); 
      pstmt.setString(6,level); 
      pstmt.setString(7,thesisTitle); 
      pstmt.setString(8,thesisAdvisor); 
      pstmt.setString(9,company); 
      pstmt.setString(10,studentID); 

      int rowsInserted = stmt.executeUpdate(updateQuery); 
     System.out.print("Number of Rows inserted = " + rowsInserted);  


     // Close the statement and the connection 

     stmt.close(); 
     conn.close(); 

Answer 1

在company

+ "  company = ?, " 
        ^here