Discussions in the group: rowset, MySQL, preparestatement, poeaa, etc.

Hongsoft (26929885) 16:51:26

String SQL = "select * From resource_files where fileform =? ";

Connection conn = NULL; preparedstatement stmt = NULL;
Try {
If (SQL! = NULL & SQL. indexof (t_core_user)> = 0)
Conn = dbfactory. getdbtcoreuser (). getconn ();
Else
Conn = getconn ();
Stmt = conn. preparestatement (SQL );
Stmt. setstring (1, "jpg ");
Resultset srs1_stmt.exe cutequery (SQL );
A test fails. What's the problem?
Hongsoft (26929885) 16:51:56
Exception in thread "Main" Java. SQL. sqlexception: syntax error or access violation: You have an error in your SQL syntax. check the manual that corresponds to your MySQL Server version for the right syntax to use near '? 'At line 1
Strong (455196) 16:51:12
It seems okay.
Hongsoft (26929885) 16:54:33
Yes, in the same function
String SQL = "select * From resource_files where fileform = '" + "jpg" + "'";
It is successful.
Cyt (53238) 16:52:04
MySQL none? Right?
Hongsoft (26929885) 16:54:47
? Really?
Strong (455196) 16:52:22
This is related to the driver.
Cyt (53238) 16:52:44
MySQL does not exist. The driver is not clear.
Jackyrong (1809772) 16:52:47
Cannot be used in MySQL? This is true.
Meavazier (37263) 16:52:48
Yes, it depends on the driver.
Strong (455196) 16:52:49
Under normal circumstances ,? Will be replaced with 'jpg'
Jackyrong (1809772) 16:53:18
Oh? Are there any drivers available?
Strong (455196) 16:53:15
? It's a preparedstatement.
Hongsoft (26929885) 16:56:11
Cannot MySQL use preparedstatement? ?
Strong (455196) 16:53:58
... How is it possible? Try another driver.
Cyt (53238) 16:53:59
At least I write it myself in the form of Param, isn't it? .
MySQL does not have preparestatement
Strong (455196) 16:54:06
Java?
Hongsoft (26929885) 16:56:42
Pair
Strong (455196) 16:54:12
Is JDBC used? Of course
Cyt (53238) 16:54:15
Do not believe you are looking for MySQL API
Meavazier (37263) 16:54:40
This MySQL API does not matter...
Strong (455196) 16:54:45
Yes ..
Cyt (53238) 16:55:13
JDBC also depends on the MySQL API
Jackyrong (1809772) 16:55:55
Using the traditional MySQL driver, I have tried it before.
Cyt (53238) 16:56:31
Do some extra parse
Hongsoft (26929885) 17:00:03
My driver version is high enough ,...
Hongsoft (26929885) 17:00:24
Why does MySQL not support this? Searhc for me ..
Cyt (53238) 17:00:04
100 are at ease, and MySQL is definitely not supported. It will be hard to say in later versions. The driver is about to be selected. Ask the strong man What driver is used now?
Hongsoft (26929885) 17:05:06
It shouldn't be used now.
Ysql
Hongsoft (26929885) 17:05:45
I used Oracle most in the past. It is no wonder that the current system does not use preperastatmet. It was not supported by MySQL...
Hongsoft (26929885) 17:06:08
I tested the performance comparison of rowset/resultset for half a day ..
Hongsoft (26929885) 17:08:20
One problem found: getconn is not required for 1 ms in the case of CP. Soon.
Cyt (53238) 17:07:34
In fact, slow means that when the socket is connected, domain name interpretation and three handshakes are required.
Cyt (53238) 17:08:20
Therefore, the efficiency of the connection pool is usually not very poor, but the connection policy in it will have some impact on other aspects.
Hongsoft (26929885) 17:12:12
Indeed. Therefore, our system is a usecase with multiple connections (of course, the transaction is not considered)
Hongsoft (26929885) 17:12:32
Multiple connec () times, it seems fast
Hongsoft (26929885) 17:13:11
Because rowset is used, connect also relaese quickly and will not affect the number of connections.
Cyt (53238) 17:11:41
But does rowset seem to be not supported by all databases?
Hongsoft (26929885) 17:15:06
Yes? It should be after jdbc2.0.
Cyt (53238) 17:13:26
I don't know. Well, which expert should I explain?
Hongsoft (26929885) 17:17:03
Then I took a look at the so-called disconnected feature of rowset. It seems that it is not very useful.
David. Turing (10508778) 17:14:35
Does SQL. rowset come from JDK SPI? Who dares not to support it?
Hongsoft (26929885) 17:18:19
Not in the past
Hongsoft (26929885) 17:18:52
Later it became SPI, and Sun also made an implementation
David. Turing (10508778) 17:17:52
Oh, you know the cause and effect.
Hongsoft (26929885) 17:21:08
Just understand
Hongsoft (26929885) 17:21:31
Why is the disconnection feature not very useful?
Hongsoft (26929885) 17:21:39
There is a reason
Hongsoft (26929885) 17:22:22
Here, we will first insert a sentence: The rowset mentioned in poeaa, saying that our architecture model can have a great impact ..
Hongsoft (26929885) 17:24:27
If you want to use the disconnected feature: the only difference is that after select returns the cachedrowset, continue to use it (and after conn. Close.
Hongsoft (26929885) 17:24:55
However, this method has a huge impact on the readability of the Code and is ugly.
Hongsoft (26929885) 17:25:11
Other update/insert/delete operations have no effect.
Hongsoft (26929885) 17:26:28
It is also mentioned that the use of prestatement can have a great positive impact on the system performance and security. Our system has encountered such a problem.
Hongsoft (26929885) 17:27:30
In poeaa, rowset is mentioned. I think it can be very convenient for us to use DDD, but poeaa is talking about tablemodel, which is still unknown.

David. Turing (10508778) 17:26:40
What security issues does preparestatement have?
Hongsoft (26929885) 17:30:32
I am talking about "positive impact", which means problems may occur when statemenet is used.
David. Turing (10508778) 17:28:46
Agree.
Hongsoft (26929885) 17:32:44
Currently, MySQL can only be converted using statement. Strings in all SQL statements must be converted using this method:
Hongsoft (26929885) 17:32:52
// Encode the string to pass in the SQL statement
Public static string encodetosqlstring (string s ){
If (S = NULL)
Return NULL;
Return S. replaceall ("////","////////")
. Replaceall ("/R", "/// R ")
. Replaceall ("/N", "// n ")
. Replaceall ("/T", "///t ")
. Replaceall ("/B", "///B ")
. Replaceall ("///'","/////'")
. Replaceall ("///"","/////"")
;
}
Hongsoft (26929885) 17:33:32
Otherwise, you can use SQL inject.
Sleep all night (5315916) 17:31:36
My operating system is WINXP and office is 2003. When I open a Word document, the pictures and directories are garbled characters? I don't know why
Hongsoft (26929885) 17:34:16
When I tried, I dropped the database of a forum.
David. Turing (10508778) 17:31:48
Well, a smart way.
Sleep all night (5315916) 17:31:59
Is it because office2003 cannot be installed in WINXP?
Hongsoft (26929885) 17:34:44
This method is also the preparestatement method.
Hongsoft (26929885) 17:34:55
We use this method.
Cyt (53238) 17:32:33
MySQL API itself provides a function dedicated to this type of conversion.
David. Turing (10508778) 17:32:57
Can I share the following modules?
Hongsoft (26929885) 17:35:40
Yes? The API you are talking about is a C-level API, right?
Hongsoft (26929885) 17:35:45
What module?
Hongsoft (26929885) 17:36:05
Are there all methods?
David. Turing (10508778) 17:33:51
It is very difficult to directly insert SQL statements if you perform a transformation.
Hongsoft (26929885) 17:36:46
Now this should be okay :)
David. Turing (10508778) 17:34:58
Well, it's actually nothing. Using JSP semantics alone can prevent injection.
Hongsoft (26929885) 17:37:51
How can this problem be solved? Input check?
David. Turing (10508778) 17:36:56
Embed comments into statements that may generate SQL statements to prevent SQL statements with correct syntax.
David. Turing (10508778) 17:38:20
Background Analysis to prevent SQL connection.
Hongsoft (26929885) 17:42:23
Oh
Cyt (53238) 17:39:58
Unsigned long stdcall mysql_escape_string (char * To, const char * from,
Unsigned long from_length );
 
David. Turing (10508778) 17:42:09
Cyt is the simplest ~
Cyt (53238) 17:42:45
In fact, JDBC should provide a similar function
Cyt (53238) 17:43:04
For example, the escape method of Oracle is different from that of MySQL.
David. Turing (10508778) 17:44:07
Good idea, but there are too many databases in the world, with hundreds.
Cyt (53238) 17:44:48
Standard, JDBC is not taking care of these hundreds of databases
Cyt (53238) 17:45:48
This parameter must be added to the ODBC/jdbc standard.
David. Turing (10508778) 17:46:58
To add an SPI for SQL injection, hongsoft has a big face.
Cyt (53238) 17:47:33