2016-08-18 47 views
1

我想創建使用休眠準備語句的新表。它看起來像"setparameter("values", value)"添加額外的引號來查詢。 我的代碼:休眠setParameter字符串添加單引號

String hql = "create table :values " + "(name VARCHAR(50))"; 
     Query my = session.createSQLQuery(hql); 
     my.setParameter("values", value); 
     my.executeUpdate(); 
     session.close(); 

錯誤:

SEVERE: Servlet.service() for servlet [contextServlet] in context with path [/SpringSafeHouseService2.0] threw exception [Request processing failed; nested exception is org.hibernate.exception.SQLGrammarException: could not execute statement] with root cause 
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''merkurijuss' (name VARCHAR(50))' at line 1 
+0

您可以使用表名作爲參數在事先準備好的聲明 – Jens

回答

0

不能在準備好的聲明中使用表名稱作爲參數。你必須把它放進刺:

String hql = "create table "+ value+ " (name VARCHAR(50))"; 
    Query my = session.createSQLQuery(hql); 
    my.executeUpdate(); 
    session.close(); 
+0

那麼如何防止SQL注入這個查詢? – Liver

+0

@☺LiverSQL注入只適用於列名不爲表名 – Jens

+0

的值,但代碼是不可讀的。 – Jens