I have a SQL code in a java code which looks like this :
Connection con = null;
PreparedStatement pstmt = null;
ResultSet rs = null;
beforeExerTestDTO dto = new beforeExerTestDTO();
StringBuffer sql = new StringBuffer();
sql.append(" select * ");
sql.append(" from n_before_exer ");
sql.append(" where id=?");
sql.append(" and reg_date = (select max(reg_date) from n_before_exer where id=?)");
try {
con = pool.getLocalConnection();
pstmt = con.prepareStatement(sql.toString());
pstmt.setString(1, id);
pstmt.setString(2, id);
System.out.println("여기까진 살까??");
rs = pstmt.executeQuery();
/......
...... some code /
}catch(SQLException e){
System.out.println("read : " + e);
System.out.println("read : " + sql);
}catch(Exception e){
System.out.println("read : " + e.getStackTrace().toString());
}finally{
DBClose.close(con, pstmt, rs);
}
return dto;
}
When the file gets executed it forms a statement like this in console:
select * from n_before_exer where id=? and reg_date = (select max(reg_date) from n_before_exer where id=?)
and throws a
java.sql.SQLEXCEPTION
What I tried :
I ran the same in Mysql Workbench query :
and got the following error:
Error Code: 1064. You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax to use near '? and reg_date = (select max(reg_date) from
n_before_exer where id=?)' at line 1
A bit of research on the topic shows :
This way is not a preferred way as it can lead to injection attacks
And was advised to use a placeholder for a parameter
It seems a bit complex for me, if anyone can help me construct this statement in the right preferred way please
Thanks
You should be using a prepared statement:
Connection con; // get a connection
PreparedStatement ps = con.prepareStatement(sql);
ps.setInt(1, someInt);
ps.setInt(2, someOtherInt);
ResultSet rs = ps.executeQuery();
while (rs.next()) {
// process each record
}
Your statement seem correct in syntax. Are you have encoding issue on you java file?
pstmt.setString(1, id);
I guess the problem is that the type of id is not string ,you could use this to have a try:
Related
The syntax that from the java code is not applicable to mysql. The setString() from java will come out with ' and not ` which is not accepted in mysql.
I tried in my localhost to run the code, it really not accepting 'doctor' and only accept ``doctor`.
Below are my code:
PreparedStatement ps = con.prepareStatement("SELECT id FROM ? WHERE id = ?");
ps.setString(1, "doctor");
ps.setInt(2, 123);
ResultSet rs = ps.executeQuery();
and there is an error
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''doctor' WHERE id = 123' at line 1
It's because your code produces following query:
SELECT id FROM 'doctor' WHERE id = 123
As you can see table name is used as a String which is invalid SQL Syntax, so you can either hard code table name and or if you really want it to be dynamic you can achieve it like:
String sql = String.format("SELECT id from %s where id = ?", tblName);
PreparedStatement ps = con.prepareStatement(sql);
ps.setInt(1, 123);
ResultSet rs = ps.executeQuery();
I am new to using java with a database and I have been trying following code:
public int getDateDiff(int OrderID) {
Connection conn = DBConnection.getConnection();
Integer diff = null;
String getdiffSQL = "SELECT DATEDIFF( DAY , StartDate , EndDate ) FROM CarOrder WHERE OrderID = ?;";
try {
PreparedStatement pstm = conn.prepareStatement(getdiffSQL);
pstm.setInt(1, OrderID);
ResultSet rs = pstm.executeQuery(getdiffSQL);
while (rs.next()) {
diff = rs.getInt(1);
}
}
catch (SQLException ex) {
System.out.println("Error: " + ex.getMessage());
}
return diff;
}
I tried running this but i encounter this
"Exception in thread "AWT-EventQueue-0" java.lang.NullPointerException"
and the the return diff is null. Please tell me what wrong in this and how do i fix this.
PreparedStatement#executeQuery() does not take a parameter and you should not be passing the query string. Instead use this pattern:
PreparedStatement pstm = conn.prepareStatement(getdiffSQL);
pstm.setInt(1, OrderID);
ResultSet rs = pstm.executeQuery(); // no parameter
This is a fairly common mistake made when using JDBC, partly because Statement#executeQuery() does take the query string as a parameter. Add to this tutorials like MkYong which make the same mistake as the OP and it is easy to see why this error is so prevalant.
I've written the following code (snippet):
conn = Pooling.getDataSource().getConnection();
String databaseName = Configuration.getDatabaseName();
String sql = "SELECT * FROM " + databaseName + ".companies WHERE companyemail = ? AND companypassword = MD5(?)";
PreparedStatement prepStat = conn.prepareStatement(sql);
prepStat.setString(1, username);
prepStat.setString(2, password);
System.out.println("LoginService: prepStat = " + prepStat.toString());
ResultSet rs = prepStat.executeQuery(sql);
...
Now, when I execute this, I'm getting a MySQLSyntaxErrorException. The prepStat.toString() prints:
SELECT * FROM dbname.companies WHERE companyemail = 'comp#comp.com' AND companypassword = MD5('passwort')
And a simple copy and paste to SequelPro successfully return a result.
However, the backend still claims that there is an error in the syntax:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? AND companypassword = MD5(?)' at line 1
Maybee I'm blind but I do not see an error here? But what is happening here?
Okay, I found out what the problem was. I used:
ResultSet rs = prepStat.executeQuery(sql);
However, I should have used
ResultSet rs = prepStat.executeQuery();
instead.
Try this:
String sql = "SELECT * FROM '" + databaseName + ".companies' WHERE companyemail=? AND companypassword = MD5(?)";
Notice the single quote before the databaseName variable and after .companies . I think that could be the problem.
Or you could do this:
String sql = "SELECT * FROM ? WHERE companyemail =? AND companypassword = MD5(?)";
PreparedStatement prepStat = conn.prepareStatement(sql);
prepStat.setString(1, databaseName);
prepStat.setString(2, username);
prepStat.setString(3, password);
I believe the problem is at the level of parsing the databaseName to the prepared statement.
First crack at using SQLite+Java and I'm recieving an error when I attempt to execute a simple simple query.
Error:
not implemented by SQLite JDBC driver
Query:
String sql =
"select Asset, Qty*Price+Fees as Cost \n" +
"from Transactions t \n" +
" inner join TransactionItems i on t.Id = i.TransactionId \n" +
"where TransDate <= ? \n";
try (PreparedStatement stmt = cnn.prepareStatement(sql)) {
java.sql.Date dte = new java.sql.Date(SumDate().getTimeInMillis());
stmt.setDate(1, dte);
try(ResultSet rs = stmt.executeQuery(sql)) {
while(rs.next()) {
PortfolioSummaryItem item = new PortfolioSummaryItem(PortfolioSummary.this);
item.Load(rs);
items.put(item.asset,item);
}
rs.close();
}
stmt.close();
This was a simple cut/paste style error. When using prepared statements, you shouldn't then pass the SQL into the executeQuery.
Change:
try(ResultSet rs = stmt.executeQuery(sql)){
To:
try(ResultSet rs = stmt.executeQuery()){
This was overriding the preparedStatement.
What it was complaining about was executing a query with a '?' in it since it wasn't the prepared query.
Check the jdbc driver you have in the libs folder.
It looks like it has not implemented the methods you have called.
Try downloading the driver from here:
https://bitbucket.org/xerial/sqlite-jdbc/downloads
I am using following method for calculating payroll by using jdbc but "ORA-01008: not all variables bound" error is not removing.
Any idea please?
I am using following code
public double getPayroll(){
ResultSet rs = null;
ResultSet rs1 = null;
ResultSet rs2 = null;
Connection conn = null;
PreparedStatement pstmt = null;
try {
conn = getDBConnection();
double dailyPay=0,basicPay=0,payroll2=0;
int houseRent=0,convAllow=0,noOfPresents=0,empId=0;
String q = "select e_id from employee";
pstmt = conn.prepareStatement(q);
rs = pstmt.executeQuery();
while (rs.next()) {
empId=rs.getInt(1);
String q1 = "select count(att_status) from attendance where att_status='p'";
pstmt = conn.prepareStatement(q1);
rs1 = pstmt.executeQuery(q1);
while(rs1.next()){
noOfPresents=rs1.getInt(1);
String q2 = "select e_salary,e_house_rent,e_conv_allow from employee where e_id=?";
pstmt = conn.prepareStatement(q2);
pstmt.setInt(1,empId);
rs2 = pstmt.executeQuery(q2);
while(rs2.next()){
dailyPay=rs2.getInt(1)/22;
houseRent=rs2.getInt(2);
convAllow=rs2.getInt(3);
basicPay=dailyPay*noOfPresents;
payroll2+=basicPay+houseRent+convAllow;
}
}
}
return payroll2;
}catch (Exception e) {
e.printStackTrace();
return 0.0;
} finally {
try {
rs.close();
pstmt.close();
conn.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
Your problem is here:
rs2 = pstmt.executeQuery(q2);
You're telling the PreparedStatement to execute the SQL q2, rather than executing the SQL previously prepared. This should just be:
rs2 = pstmt.executeQuery();
This is a fairly common mistake, caused mainly by the bad class design of java.sql.Statement and its subtypes.
As #RMT points out, you make the same mistake here:
rs1 = pstmt.executeQuery(q1);
This doesn't matter so much, since there are no placeholders in q1, so the SQL executes as-is. It's still wrong, though.
Lastly, you should consider calling close() on the first PreparedStatement, before re-assigning the pstmt variable to another one. You risk a leak if you don't do that.
pstmt = conn.prepareStatement(q2);
pstmt.setInt(1,empId);
rs2 = pstmt.executeQuery(q2);
You have already created the prepared statement with the query q2 and bound the variable empId to it. if you now invoke pstmt.executeQuery(q2), the variable binding is lost. The JDBC driver probably parses the unbound sql q2 when you execute pstmt.executeQuery(q2).
One reason might be that you cannot re-use the instance of pstmt like that. You have to use a separate PreparedStatement instance in each level of the loop.
Are you aware that this can be done with just a single statement as well?
Edit:
Assuming there is a relation between employee and attendance, something like this would return the sum in a single request:
select sum( (e_salary / 22) * att_count + e_house_rent + e_conv_allow )
from (
select emp.e_salary
emp.e_house_rent,
emp.e_conv_allow,
(select count(att.att_status) from attendance att where att.e_id = mp.e_id) s att_count
from employee emp
) t
If indeed attendance is not linked to employee, just leave out the where clause in the nested select.
UPDATE TESTCP SET CP_KEY2 =?, CP_DESC =?, CP_MAKER =?, CP_MAKER_DT =SYSDATE, CP_STATUS ='M' WHERE CP_LANGUAGE = ? AND CP_ENG_CODE = ? AND CP_KEY1 =? AND CP_LANGUAGE =?
In the above query we have 7 in parameter but if in your java code PreparedStatement you have set only 6 parameter values .
That time also this error will occur.