SQL 语句和准备语句错误

SQL Statement and Prepared Statement error

用户输入一种疾病,SQL 应该 return 所有患有这种疾病的患者的详细信息。但我收到以下错误:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1

SQL查询如下图。请帮我调试一下。

SELECT patient_personal_details.patient_id, 
       patient_personal_details.first_name, 
       patient_personal_details.last_name, 
       patient_personal_details.gender, 
       patient_personal_details.occupation, 
       patient_personal_details.marital_status 
FROM patient_personal_details
INNER JOIN patient_medical_details
ON patient_personal_details.patient_id = patient_medical_details.patient_id
WHERE patient_medical_details.disease = ?

代码如下:

public JTable getAllPatientsByDisease(String disease)throws RemoteException{
    JTable table = null;
    try{
        Class.forName("com.mysql.jdbc.Driver");
        Connection con = DriverManager.getConnection("jdbc:mysql://localhost/hospital_database","root","");
        String sql = " SELECT patient_personal_details.patient_id, patient_personal_details.first_name, patient_personal_details.last_name, patient_personal_details.gender, patient_personal_details.occupation, patient_personal_details.marital_status FROM patient_personal_details "
                + " INNER JOIN patient_medical_details "
                + " ON patient_personal_details.patient_id = patient_medical_details.patient_id "
                + " WHERE patient_medical_details.disease = ? ";
        PreparedStatement ps = con.prepareStatement(sql);
        ps.setString(1, disease);
        ResultSet rs = ps.executeQuery(sql);

        table =  new JTable(buildTableModel(rs));
    }
    catch(SQLException | ClassNotFoundException e){
        System.out.println("Error: "+e);
    }
    return table;
}

更新答案(现在我们有了代码)

问题在这里:

ResultSet rs = ps.executeQuery(sql);
// ----------------------------^^^

删除sql,只需使用:

ResultSet rs = ps.executeQuery();

通过将 SQL 指定为参数,您使用的是 Statement#executeQuery, not PreparedStatement#executeQueryStatement#executeQuery 按字面意思使用 SQL 字符串,没有替换参数(基本上就好像你没有调用 setString 一样)。 (是的,这不是 JDBC 人的绝妙设计决定。)


原答案:

该错误消息的关键位是 "...near '?'" 这告诉我们您从未设置要在此时替换到查询中的值,等等?按字面意思使用。

您需要使用setString(如果"disease"列是文本列)或setInt等来设置查询参数。例如:

PreparedStatement ps = connection.prepareStatement("SELECT ... WHERE patient_medical_details.disease = ?");
ps.setString(1, "arachnophobia"); // <===
ResultSet rs = ps.executeQuery();

参数的编号(有点令人惊讶)第一个为 1 ?,第二个为 2,依此类推。