您的代码中有两个问题:
SQL语句
;
最后不需要分号。它将使代码失败。该代码易于进行SQL注入并且难以维护。请
PreparedStatement
改用:
这应该是工作代码:
String sql = "INSERT INTO MyAlbums VALUES (?, ?, ?, ?, ?)";PreparedStatement pstmt = connection.prepareStatement(sql);if(album instanceof CDAlbum) { pstmt.setString(1, "CD"); CDAlbum cdAlbum = (CDAlbum)album; pstmt.setString(4, cdAlbum.getArtist()); pstmt.setString(5, cdAlbum.getTracks());}if(album instanceof DVDAlbum) { pstmt.setString(1, "DVD"); DVDAlbum dvdAlbum = (DVDAlbum)album; pstmt.setString(4, dvdAlbum.getDirector()); pstmt.setString(5, dvdAlbum.getPlotOutline());}pstmt.setString(2, album.getTitle());pstmt.setString(3, album.getGenre());pstmt.executeUpdate();在 大 平原字符串连接而这种做法对于你的情况之间的区别就是
PreparedStatement参数会逃跑任何
'和
"和其他字符你。
