I have problem with executing query in my Java program. Here is the code:
String selected=offersList.getSelectedValue();
String sql="SELECT * from outcoming_offers where about='"+selected+"'";
pst=con.prepareStatement(sql);
rs=pst.executeQuery();
And when there is single quotes in 'selected' - it is giving me an error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near.....
So I understand why there is error but I am wondering how to make this work. Are there any other ways except concat()?
It's always better approach is to use prepared statements instead of raw SQL string concatenation.
From your example you should write prepared query like below (parameter to pass are replaced with question marks):
String sql="SELECT * from outcoming_offers where about=?";
PreparedStatement ps = con.preparedStatement(sql);
And then just inject parameter values and execute query:
ps.setString(1, selected);
ResultSet rs = ps.executeQuery();
Thanks to this approach you don't have to deal with SQL query string and single quotes, which is very often error-prone and also (very important) your code is not expose to SQL Injection attacks.
More info in documentation: https://docs.oracle.com/javase/8/docs/api/java/sql/package-summary.html
You are using a Prepared Statement but not passing the required parameter as you should. Change the statement to this:
String sql="SELECT * from outcoming_offers where about=?";
and then pass the parameter:
pst=con.prepareStatement(sql);
pst.setString(1, selected);
This way you set selected as the 1st parameter of the Prepared Statement.
Now you can execute the query:
rs=pst.executeQuery();
Related
Here's my query:
select *
from reg
where indexno=?
or tel=?
And here's my code:
Class.forName("com.mysql.cj.jdbc.Driver");
Connection con =DriverManager.getConnection("jdbc:mysql://url","unam","pass");
String query = "select * from reg where indexno= ? or tel=?";
PreparedStatement ps = con.prepareStatement(query);
ps.setString(1, in.getText());
ps.setString(2, tl.getText());
Statement st = con.createStatement();
ResultSet rs = st.executeQuery(query);
Let's take a closer look at what your code is doing.
Connecting to the database:
Connection con =DriverManager.getConnection("jdbc:mysql://url","unam","pass");
Creating the SQL query:
String query = "select * from reg where indexno= ? or tel=?"`;
Creating a prepared statement:
PreparedStatement ps = con.prepareStatement(query);
Setting some bind parameter values:
ps.setString(1, in.getText());
ps.setString(2, tl.getText());
Creating a whole new non-prepared statement (wait, what? Why are we not using the prepared statement we spent some time creating?):
Statement st = con.createStatement();
Using the new non-prepared statement to execute the SQL query.
ResultSet rs = st.executeQuery(query);
As a result of the last two lines, your SQL query is sent straight to the MySQL database. MySQL doesn't understand what the ? marks are for, and hence complains with a syntax error about them.
When handling prepared statements, JDBC drivers will either replace the ? marks with the database's own syntax for bind parameters (unless the database supports ? marks directly, but not all databases do), or put the values directly in the SQL string after suitable escaping of any characters, before they send the SQL to the database. Statements don't support bind parameters, and will just send the SQL string they are given straight to the database.
Your code creates a PreparedStatement and sets two bind parameter values. It seems a shame not to actually use your prepared statement once you've created it. You can get the result set you want out of it by calling ps.executeQuery(). There is no need for the separate Statement you created by calling connection.createStatement().
The fix therefore is to remove the last two lines of the code in your question and add the following line in place of them:
ResultSet rs = ps.executeQuery();
Im writing a java program and I have a SQL statement that currently is outputting wrong:
so the code is:
String sql = "SELECT Name from Users WHERE Name LIKE "+t;
and the Output is:
SELECT Name from Users WHERE Name LIKE David
But I need it to be with single quotes how can I add that to be like:
SELECT Name from Users WHERE Name LIKE 'David'
how can I add those quotes?
Many thanks for the help
This is a very common mistake. I'm guessing you are using Statement class to create your query and executing it.
I'd like to suggest that you use prepared statements. It'll since your issue and help you with further issues.
PreparedStatement ps = yourconn.prepareStatement("select name from users where name like ?");
ps.setString(1,yoursearchedusername);
ResultSet rs = ps.executeQuery();
This will add your quotes. Plus it will prevent from sql injection attacks in future.
Your current query will also cause issues of your actual query has ' or ? Or any other sql wild card. Prepared statement avoids all these issues and helps with performance by having the sql already compiled and stored at db layer (if enabled)
Use a prepared statement to prevent sql injections.
String searchedName = "cdaiga";
String sql = "SELECT Name from Users WHERE UPPER(Name) LIKE '%?%'";
PreparedStatement preparedStatement = dbConnection.prepareStatement(sql);
preparedStatement.setString(1, (searchedName!=null? searchedName.toUpper(): ""));
// execute the SQL stetement
preparedStatement .executeUpdate();
ResultSet rs = preparedStatement.executeQuery();
// print the results if any is returned
while (rs.next()) {
String name= rs.getString("Name");
System.out.println("name: " + name);
}
Note that a case insensitive search would be appropriate.
I'm trying to execute following SQL query where it tries to find results that matches the column2 values ending with abc
PreparedStatement stmt = conn.prepareStatement("SELECT column1 FROM dbo.table1 WHERE column2 LIKE ?");
stmt.setString(1, "%" +"abc");
But it returns nothing even though there is a matching value. This only happens with SQL Server. Same query with informix database returns correct results. Anyone has an idea about what causing this to behave differently?
Is this due to an issue in how PreparedStatement creates the SQL query for SQL Server?
Edit
I found out this happens when the data in the column which i perform the like contain space. eg: when the column contains "some word" and if i perform the search by stmt.setString(1, "%" + "word"); it won't return a matching result but if i perform the same on for "someword" it would return the matching result
SQL Server accepts wild characters in the LIKE clause within the single quotation marks, like this ''.
A sample SQL query:
SELECT NAME FROM VERSIONS WHERE NAME LIKE 'Upd%'
The query above will yield you results on SQL Server. Applying the same logic to your Java code will retrieve results from your PreparedStatement as well.
PreparedStatement stmt = conn.prepareStatement("SELECT NAME FROM VERSIONS WHERE NAME LIKE ?");
stmt.setString(1, "Upd%");
I've tested this code on SQL Server 2012 and it works for me. You need to ensure that there are no trailing spaces in the search literal that you pass on to your JDBC code.
Though as a side note, you need to understand that a wildcard % used in the beginning, enforces a full table scan on the table which can deteriorate your query performance. A good article for your future reference.
Hope this helps!
i have same problem,i have done with the CONCATE function for this.
PreparedStatement ps = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like CONCAT( '%',?,'%')";
ps.setString(1, notes);
ResultSet rs = ps.executeQuery();
I am trying a update an entry in my SQL table which has a column name "from" in JDBC.
Following is the SQL command that I am trying to execute:
sql = "Update email_template set [from]="+"'"+3+"'"+" WHERE id="+idno;
stmt.executeUpdate(sql);
However it shows the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[from]='Akshit' WHERE id=1' at line
MySQL's way of escaping column names is by using backticks:
sql = "Update email_template set `from`="+"'"+3+"'"+" WHERE id="+idno;
I recommend using java.sql.PreparedStatement when handling SQL in Java. It can be used for batches and ensures malicious SQL is not injected as part of the SQL code.
This is how your code looks with a PreparedStatement:
PreparedStatement stmt = connection.prepareStatement("UPDATE `email_template` SET `from` = ? WHERE id = ?");
stmt.setInt(1, 3);
stmt.setInt(2, idno);
stmt.executeUpdate();
If this is an operation you execute for many rows in one go, replace stmt.executeUpdate() with stmt.addBatch() (likely in some loop) and when you're ready to execute the batched updates you call stmt.executeBatch().
Note that both executeUpdate() and executeBatch() return how many rows were affected; which is something you may want to validate after a commit.
I have to read the below SQL statement from one properties.
update scoreconfig set scorestatus=0 where scoreversion=props.getProperty("scoreversion");
And value for score version I've to take it from other properties file.
But, when I prepare a statement in java function as below:
final String query = strLine;
PreparedStatement ps=con.prepareStatement(query);
where query has
update scoreconfig set scorestatus=0 where scoreversion=props.getProperty("scoreversion");
But I get
Error: ORA-00911: invalid character
...when I do ps.execute();
I assume props is a Properties instance or similar. If so, the props.getProperty("scoreversion") part is meant to happen at the Java layer, not in the database. Instead:
String sql = "update scoreconfig set scorestatus=0 where scoreversion=?";
PreparedStatement ps = con.prepareStatement(sql);
// If scoreversion is a String:
ps.setString(1, props.getProperty("scoreversion"));
ResultSet rs = ps.executeQuery();
...or if scoreversion is an int, use this instead of the setString line:
// It scoreversion is an int:
ps.setInt(1, Integer.parseInt(props.getProperty("scoreversion")));
...etc., convert as appropriate.
Basically, when you use prepareStatement, you use ? where parameters should go, and then you use setXyz on the PreparedStatement instance to set those parameters. (Oddly, they start with 1, not 0.) Note that even when the parameter is a String, you don't put quotes around it in the SQL you pass into prepareStatement; that's handled for you (along with properly escaping that string to prevent SQL injection, so PreparedStatement and setXyz are your friends, you'll get to know them well).