I know, for PreparedStatement I need to have the SQL expression fed into the PreparedStatement like this
String updateStatement =
"update " + dbName + ".COFFEES " +
"set TOTAL = TOTAL + ? " +
"where COF_NAME = ?";
However, can I feed the update statement with the full where clause without "?"
For example
String updateStatement =
"update " + dbName + ".COFFEES " +
"set TOTAL = TOTAL + ? " +
"where COF_NAME = 'aaa";
It is just cause I get the where as a parameter in my function, and I don't think it would be efficient to parse the string to break it up.
The purpose of using prepared statement is to have dynamic variables, but as you're asking if you can hard code the whole where clause, yes you can hard code it.
Related
I have the following code:
try {
userPasswordNew = new String(ChangePW.passwordFieldconfirm.getPassword());
PreparedStatement prepStmt = connection.prepareStatement(
"UPDATE " + TABLE_NAME + " SET password = " + userPasswordNew + " WHERE username = " + username);
prepStmt.setString(2, BCrypt.hashpw(userPasswordNew, BCrypt.gensalt(bcryptRounds))); //2 represents number of column in database starting with 0
System.out.println(prepStmt);
return prepStmt.executeUpdate() != 0;
} catch (SQLException e) {
e.printStackTrace();
}
I tried 1 2 and 3 as indexes but everytime it throws an Index out of range exception. Is there another way to get the column, maybe adressed with its name? Or what am I doing wrong?
Could somebody please help?
To use prepared statements - please use ? instead provided values. Like in this sample:
String updateString =
"update " + dbName + ".COFFEES " +
"set SALES = ? where COF_NAME = ?";
updateSales = con.prepareStatement(updateString);
To get more, please look here. In your case that could be:
PreparedStatement prepStmt = connection.prepareStatement(
"UPDATE " + TABLE_NAME + " SET password = ? WHERE username = ?");
prepStmt.setString(1, "that new password");
prepStmt.setString(2, "user_name");
I assume password and username are textual values. Hence you will have to enclose the values by quotes.
That is the query will be
"UPDATE " + TABLE_NAME + " SET password = " + userPasswordNew + " WHERE username = " + username
Also, as you are using PreparedStatement, you must not mention the variables in the query. A neater approach would be to use ? instead. Something like this.
"UPDATE " + TABLE_NAME + " SET password = ? WHERE username = ?
And then use .setString() etc methods with userPasswordNew and username.
Check this, https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
When you use PreparedStatement, you define the parameters to pass in the sql statement by placing 1 or more ?.
Then you pass values to these parameters with methods like setString(), setInt(),... The order of the parameters is not 0 based but 1 based.
try {
userPasswordNew = new String(ChangePW.passwordFieldconfirm.getPassword());
PreparedStatement prepStmt =
connection.prepareStatement("UPDATE " + TABLE_NAME +" SET password = ? WHERE username = ?");
prepStmt.setString(1, userPasswordNew);
prepStmt.setString(2, username);
System.out.println(prepStmt);
return prepStmt.executeUpdate() != 0;
} catch (SQLException e) {
e.printStackTrace();
}
In your code there is this line:
prepStmt.setString(2, BCrypt.hashpw(userPasswordNew, BCrypt.gensalt(bcryptRounds)));
I don't know if this is a parameter that you want to pass.
If it is I can't see a ? placeholder in the sql statement.
I'm having some trouble using Oracle, since I was used to MySql syntax,
I'm trying to implement a query in my java program, but I keep getting the error:
ora-0933 sql command not properly ended.
My Query is:
String query1 = "SELECT t.nome, h.Valor_Atual, h.Valor_Antigo, a.nome
FROM Tecnologias t, Historico h, Academista a
WHERE h.Id_Academista = a.Id_Academista
AND h.Id_Tecnologia = t.Id_Tecnologia
AND (Valor_Atual || Valor_Antigo || nome)
LIKE '%" +ValToSearch + "%'";
Am I doing something wrong or is it Oracle syntax?
Thank you so much!
Although (Valor_Atual || Valor_Antigo || nome) LIKE '%" +ValToSearch + "%' is valid SQL syntax, it might match incorrectly, if the value to search happens to match a cross-over from value of one column to the next. So, you need to use OR, and you need to check columns separately.
Other issues:
Use JOIN syntax
Use PreparedStatement instead of string concatenation
Use try-with-resources (assuming you're not)
That means your code should be like this:
String sql = "SELECT t.nome, h.Valor_Atual, h.Valor_Antigo, a.nome" +
" FROM Historico h" +
" JOIN Academista a ON a.Id_Academista = h.Id_Academista" +
" JOIN Tecnologias t ON t.Id_Tecnologia = h.Id_Tecnologia" +
" WHERE h.Valor_Atual LIKE ?" +
" OR h.Valor_Antigo LIKE ?" +
" OR a.nome LIKE ?";
try (PreparedStatement stmt = conn.prepareStatement(sql)) {
stmt.setString(1, "%" + ValToSearch + "%");
stmt.setString(2, "%" + ValToSearch + "%");
stmt.setString(3, "%" + ValToSearch + "%");
try (ResultSet rs = stmt.executeQuery()) {
while (rs.next()) {
// code here
}
}
}
I have been struggling with an SQL Delete query. I want it to delete a row, Where 2 conditions are met. The error I am getting says my SQL Syntax is wrong near the end at the last ')'.
String sql = "DELETE FROM course
WHERE (username_entry = " + username +
" AND course_name = " + courseToDelete.toUpperCase() + ")";
My variables have the right values and the data in the database corresponds perfectly.
Here is an example of what your raw query might look like:
DELETE
FROM course
WHERE username_entry = tim AND course_name = chemistry;
Of course, this is not valid SQL, because you are comparing text columns against what will be perceived as other columns called tim and chemistry. You really want the above query to look like this:
DELETE
FROM course
WHERE username_entry = 'tim' AND course_name = 'chemistry';
In other words, you need to compare against properly escaped string literals. But in practice, the best thing to do is to use prepared statements, which handle the formatting automatically:
String sql = "DELETE FROM course WHERE username_entry = ? AND course_name = ?";
PreparedStatement ps = conn.prepareStatement(sql);
ps.setString(1, username);
ps.setString(2, courseToDelete.toUpperCase());
ps.executeUpdate();
You need to encapsulate string values into quotes
String sql = "DELETE FROM course
WHERE (username_entry = '" + username +
"' AND course_name = '" + courseToDelete.toUpperCase() + "')";
But better way is to use prepared statements as they do automatical escape
Did you try to remove the braces after the Where clause.
The query would look like below after the change:
String sql = "DELETE FROM course
WHERE username_entry = '" + username +
"' AND course_name = '" + courseToDelete.toUpperCase()+"'";
You don't have to use any open / close paranthesis for the query as such!
As suggested in the other answers, you don't really need to use the injection of variables but instead, use the PreparedStatement
String sql = "DELETE FROM course
WHERE username_entry = '" + username +
"' AND course_name = '" + courseToDelete +"'";
Hope this helps!
ResultSet rs = stat.executeQuery("select * from donor where username = '" + username + "'");
String type = rs.getString("bloodtype");
System.out.println("the user's blood type is: " + type);
String Updatesentence = "update bank set " + type + " = " + type + " + 1 where name = '" + name + "'";
System.out.println(Updatesentence);
stat.executeUpdate(Updatesentence);
Guys I am trying to make an update to an SQL database with this code and although I am not getting an error somewhere the code does not work with the desired result. The
System.out.println(Updatesentence);
is not printed and the update is not performed. I know there probably is somewhat of a syntax error on my String declaration, but I cannot work it out.
You have this:
String Updatesentence = "update bank set " + type + " = " + type + " + 1 where name = '" + name + "'";
So if the user's blood type is AB...
update bank set AB = AB + 1 where name = 'JohnSmith'
And that obviously won't work. You need to indicate the column in the database you want to be updating.
One of the most important things you need to remember when writing SQL statements, is to separate the query literal from the query arguments. This allows protection from SQL Injection and also makes it possible for the DB to reuse the query with different arguments (and "hard parsing" / optimizing the query only once). The way you do this with JDBC, is through prepared statements:
try (PreparedStatement queryPS = myConnection.prepareStatement(
"select * from donor where username = ?");
PreparedStatement updatePS = myConnection.prepareStatement(
"update bank set bloodtype = ? where name = ?");) {
queryPS.setString(1, username);
ResultSet rs = queryPS.executeQuery();
if (rs.next()) {
String type = rs.getString("bloodtype");
System.out.println("the user's blood type is: " + type);
updatePS.setString(1, type);
updatePS.setString(2, username);
updatePS.executeUpdate();
}
} catch (SQLException e) {
// handle it
}
When you use prepared statements, you don't need to worry about concatenating the inputs into the query; they will be sanitized and injected automatically. If you're doing things the "wrong way", it's really easy to make a mistake when you construct the query piece by piece from different variables in your code, and this is exactly what happened with the misplaced type variable in your example.
Your update statement is wrong. It should be :
String Updatesentence = "update bank set bloodtype = " + type + " + 1 where name = '" + name + "'" ;
I've created this little quiz for a school project using Java and MySQL. Now My project runs fine but as an experiment i tried to add images in my question. The Question jFrame takes the question and all options directly from a database called ques having 8 columns last of which is "path" which is a varchar(500). Here is my Java code to add questions :-
try {
Class.forName("java.sql.Driver");
Connection con = (Connection) DriverManager.getConnection(jdbcurl, user, pass);
Statement st = con.createStatement();
ResultSet rt = st.executeQuery("SELECT qno from ques order by qno desc limit 1");
// get last qno primary key
for (; rt.next(); ) {
qno = (Integer) rt.getObject(1); // save qno as int
}
nqno = qno + 1; // create new qno
if (path == null){
String query1 = "insert into ques values (" + nqno + ",'" + question + "','" + ans1 + "','" + ans2 + "','"
+ ans3 + "','" + ans4 + "','" + ca + "',null);"; // ca is correct answer and null is path
Statement st1 = con.createStatement();
st1.executeUpdate(query1);
System.out.println("query : "+query1);
JOptionPane.showMessageDialog(this, "Question added successfully! Without Image");}
else {
String query1 = "insert into ques values (" + nqno + ",'" + question + "','" + ans1 + "','" + ans2 + "','"
+ ans3 + "','" + ans4 + "','" + ca + "','"+path+"');";
System.out.println("query :" +query1);
Statement st1 = con.createStatement();
st1.executeUpdate(query1);
JOptionPane.showMessageDialog(this, "Question added successfully! with image");
}
} catch (Exception e) {
JOptionPane.showMessageDialog(this, "Error in code");
The query sent was
query :insert into ques values (12,'123','123','123','123','123','123','F:\JavaQuiz\src\javaquiz\About.png');
All okay, no exception handled.
But in the SQL the path is saved so :- F:JavaQuizsrcjavaquizAbout.png
The database omits the backslashes. I want it not to do so. So that later I can call this link in my Question.java
Please.. Any suggestion?
(I'm sorry I'm new to programming so sorry if this is a dumb question)
User PreparedStatement instead of Statement and set the parameters. This will set the correct String with required escape characters.
String query1 = "insert into ques values (?,?,?,?,?,?,?,?)";
PreparedStatement ps=connection.prepareStatement(query1);
ps.setInt(1,nqno);
ps.setString(2,question);
ps.setString(3,ans1);
ps.setString(4,ans2);
ps.setString(5,ans3);
ps.setString(6,ans4);
ps.setString(7,ca);
ps.setString(8,path);
ps.executeUpdate();
and do the try..catch for exceptions.
In java (and C,C++,C#) string the backslash character is a special "escape" character. You need to use \\ to represent a backslash, or change your insert to use parameters using prepared statements rather then be a string.
See Java Character Escape Code Reference
(Or just change your path to use / slashes).