Question

JAVA方法,SQL语句模糊查询？

我写了个方法public List searchArticle(int type,String title, String writer) {
List list = new ArrayList();
String sql="select * from ARITCLE where type="+type+" and title like "++" and writer like "+writer+"";..................}方法接收三个参数，我想请问那条SQL语句应该怎么写？title和writer都为模糊查询！

Answer 1

这问题很眼熟
也可以这样：
String sql="select * from ARITCLE where type="+type+" and title like "++" and writer like "+writer+"";
改成
String sql="select * from ARITCLE where type="+type+" and title like '%"++"%' and writer like '%"+writer+"'%";
如果writer 这些参数是用户输入而且不经过处理的话
拼接字符串生成查询语句，会使SQL注入攻击变得相当容易

Answer 2

String tt="%"+title+"%"; String ww="%"+write+"%"; String sql="select * from ARITCLE where type="+type+" and title like ' "+tt+" 'and writer like ' "+ww+" ' ";如此而已

Answer 3

比如type传入2个值，writer传入一个值，写的时候同一个字段的先用or，用括号括起来，然后和其他条件用and。比如：select * from ARITCLE where (type like '%传入的type1%' or type like '%传入的type2%') and writer like '%传入的writer%'

Answer 4

String sql="select * from ARITCLE where type="+type+" and title like \'\%"+title+"\%\' and writer like \'\%"+writer+"\%\'"
楼上的思路是对的，但是Java中输出符号要用转义符 \ 的，应为在Java中 ' % 用自己的意思，所以要用 \' \% 来表示

Answer 5

="select * from ARITCLE where type=' "+type+" 'and title like ' "++" 'and writer like' "+writer+" ' ";还有你好像没有加%