I want to pass a bit as one of the parameters in Prepared Statement. My query should look like this :
query = select * from tbl_security_details('user',O::BIT)
I am framing the query as :
query = select * from tbl_security_details(?,?)
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1,"user")
ps.setString(2,"0::BIT")
However, this throws an error.
Can someone explain how I can pass 0::BIT from the prepare statement without it appending the single quote by itself and getting converted to String ?
Write the prepared statement so that the cast is part of the query:
String query = "select * from tbl_security_details(?, ?::bit)";
java.sql.PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, "user");
ps.setString(2, "0");
That is necessary, because you can only pass a constant value to the prepared statement, not an SQL expression.
Related
For example, if i have declared
String SQL = "select ? from dual";
Create a prepared statement for the above query
PreparedStatement preStmt = conn.prepareStatement(SQL);
And then try to add the expression as
preStmt.setString(1, expression);
How would that work? Is it possible to use it that way?
i have created prepared statement object .
now i want to get the result of multiple queries . is it possible to do using single prepared statement object/ find the piece code below
PreparedStatement ps = null;
String moviedirectorQry = "SELECT movie_director FROM movies WHERE movie_title= ?";
ps = dbConnection.prepareStatement(moviedirectorQry);
ps.setString(1, "Twilight");
ResultSet rs=null;
rs = ps.executeQuery(moviedirectorQry);
while (rs.next()) {
String director_name = rs.getString("movie_director");
System.out.println("director name : " + director_name);
}
now i want to run another query.. how to do
If the idea is to use the same PreparedStatement for different queries of the same type with only parameters' value that change, yes it is possible, simply call clearParameters() first to clear the parameters in case you want to reuse it before setting the new parameters' value.
The code could be something like that:
if (ps == null) {
// The PreparedStatement has not yet been initialized so we create it
String moviedirectorQry = "SELECT movie_director FROM movies WHERE movie_title= ?";
ps = dbConnection.prepareStatement(moviedirectorQry);
} else {
// The PreparedStatement has already been initialized so we clear the parameters' value
ps.clearParameters();
}
ps.setString(1, someValue);
ResultSet rs = ps.executeQuery();
NB: You are supposed to use executeQuery() not ps.executeQuery(moviedirectorQry) otherwise the provided parameters' value will be ignored such that the query will fail.
i want to fetch data from database by using a variable string.it shows error
"Unknown column '$a' in 'where clause'"
String a=request.getParameter("from");
ResultSet resultset= statement.executeQuery("select * from flight where f = $a") ;
If you want to use the value of the a variable where you have $a, you need to use a prepared statement and fill it in:
String a = request.getParameter("from");
PreparedStatement ps = connection.prepareStatement( // Create a prepared statement
"select * from flight where f = ?" // Using ? for where the
); // parameter goes
ps.setString(1, a); // Fill in the value (they
// start a 1, oddly)
ResultSet resultset = ps.executeQuery(); // Execute the query
Note that even though it's a string, you don't put quotes around the ?. The PreparedStatement handles that for you at the DB driver level, in a way that's safe from SQL injection.
why we use setInt with select query instead of using getInt when value is already there in database?
try {
conn = getConnection();
ps = conn.prepareStatement("SELECT * FROM circle where id =?");
ps.setInt(1, circleId);
Circle circle = null;
rs = ps.executeQuery();
if (rs.next()) {
//String s = rs.getString(circleId);
circle = new Circle(circleId, rs.getString("name"));
}
You're setting the value of the parameter to be used in the query. The ? in the SQL represents the parameter, and here you're giving it a value.
When you call getString() later, that's getting a value from the results of the query, which are very different from the parameters sent as part of the query.
Parameterized SQL allows safe inclusion of values into queries, without needing to escape them to prevent SQL injection attacks, or worrying about data type conversions. You should read the JDBC PreparedStatement tutorial for more details.
Following is my code line :
ResultSet rs3 = stmt6.executeQuery("SELECT * FROM ShopSystem.Order where s_id="+s_id+" AND status="+Pending);
I am getting the following error :
Unknown column 'Pending' in 'where clause'
What could be the reason... I cant get through it..
No doubt, status is a string, so it needs to be compared to a string. Use delimiters:
SELECT * FROM ShopSystem.Order where s_id="+s_id+" AND status='"+Pending+"'"
Or better yet, learn how to write code that uses parameter substitution for putting parameter values into SQL strings.
Change it to
AND status = '" + Pending + "'"
You need to put the string in quotes. Otherwise the DB thinks you mean a column name.
But actually you should use Prepared Statements. Then you don't need to patch the queries together like this and you don't worry about parameters and escaping them...
Don't make concatenation ! Use prepared statements
PreparedStatement stm = conn.prepareStatement("SELECT * FROM ShopSystem.Order where s_id = ? AND status = ?");
stm.setInt(1, s_id);
stm.setString(2, Pending.name());
ResultSet rs = stm.executeQuery();
you must use the PreparedStatement in this case
// use the ? for the 2 entries values
String selectSQL = new String("SELECT * FROM ShopSystem.Order where s_id=? AND status=?")
preparedStatement = dbConnection.prepareStatement(selectSQL);
// in order you must incialise them here
preparedStatement.setString(1, "s_id");
preparedStatement.setString(2, "Pending");
//execute your resultset `enter code here`
ResultSet rs = preparedStatement.executeQuery();