Im getting this :
java.sql.SQLException: [Microsoft][ODBC Microsoft Access Driver] Syntax error in FROM clause.
For my code:
ResultSet results = state.executeQuery("SELECT * FROM User" + "WHERE user_name = '" +
txtUser.getText() + "'AND password = '" + txtPass.getText() + "'" );
I have already declared all of the variables, and i suspect the error has something to do with the structure however I am unsure. Thanks
If you pay close attention to your code on this line:
"SELECT * FROM User" + "WHERE user_name
You can see that this results in
SELECT * FROM UserWHERE user_name
You need to add in a space.
In addition you're opening yourself to SQL injection attacks by building your statement like this. You should really use a PreparedStatement and use placeholder. You also won't need to build the statement by hand which would help you avoid this very issue.
Related
PreparedStatement posted = con.prepareStatement(
"INSERT INTO userdate (description, UUID) VALUES ('"+ desc + "','" + postuuid + "') ON DUPLICATE KEY UPDATE");
this is the error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''
this is the code I have, does anyone know waht might be wrong with this?
Check on MySQL docs for reference on DUPLICATE KEY UPDATE https://dev.mysql.com/doc/refman/8.0/en/insert-on-duplicate.html
The keyword "UPDATE" is not the absolute end of the statement. You need to specify the fields/values that will be updated
I've been having hard times finding the appropriate syntax for a prepared statement.
This is what I currently have:
String query = "SELECT * FROM TABLE1" + "WHERE Col1="+val1+ "AND Col2="+val2;
Can you please tell me what the actual syntax is, as I keep getting an SQL syntax error?
Thanks :)
There is no space between your table name and where clause.
String query = "SELECT * FROM TABLE1 WHERE Col1="+val1+ " AND Col2="+val2;
And if Col1 and COl2 are varchar then single quotes before and after val1 and val2.
String query = "SELECT * FROM TABLE1 WHERE Col1='"+val1+ "' AND Col2='"+val2+"'";
And better using parameters instead of giving values directly. It helps prevent SQL Injection attacks
I'm trying to insert data into my MYSQL databse. I want to insert an int into the database which I have no problem doing. However, I want to INSERT INTO (VALUES) WHERE. I get a MYSQL syntax error when I try this.
I can INSERT and SELECT WHERE as long as they are in two seperate statements. Here is my code:
String query = ("INSERT INTO `accounts` (inventory) " + "VALUES ('"
+ Inventory.inventory + "') WHERE username='" + Frame.username
+ "' and password = '" + Frame.password + "'");
Basically, an INSERT statement can not have a WHERE clause. I am thinking that you want to UPDATE a certain record, eg
UPDATE accounts
SET inventory = 'valueHere'
WHERE userName = 'userHEre' AND password = 'passHere'
The only time an INSERT statement can have a WHERE clause is when you are inserting records from the result of a SELECT statement, eg
INSERT INTO tableName (col1, ..., colN)
SELECT col1, ..., colN
FROM table2
// WHERE ..your conditions here..
As a sidenote, your current coding style is vulnerable with SQL Injection. Consider using PreparedStatement.
Basic example of a PreparedStatement
String updateString = "UPDATE accounts SET inventory = ? WHERE userName = ? AND password = ?";
PreparedStatement updateStmt = con.prepareStatement(updateString);
updateStmt.setString(1, Inventory.inventory);
updateStmt.setString(2, Frame.username);
updateStmt.setString(3, Frame.password);
updateStmt.executeUpdate();
JDBC PreparedStatement
MySQL INSERT Syntax does not support the WHERE clause so that's why you have a syntax issue. Maybe you're looking for an UPDATE :
UPDATE [LOW_PRIORITY] [IGNORE] tbl_name
SET col_name1=expr1 [, col_name2=expr2 ...]
[WHERE where_definition]
[ORDER BY ...]
[LIMIT row_count]
Not a direct answer but more of a best practice....
You should avoid doing this type of string concatenation for any sql. You vulnerable to sql injection and it does not scale well. Instead you should look at using JdbcTemplates or NamedJdbcTemplate using the opensource spring framework.
The WHERE is not applicable in INSERT INTO Syntax. You want insert a new row in the table, and you should add the username and password as well as Inventory.inventory in VALUES set.
I am getting the above mentioned exception while executing the SQL query in Java.
statement2.executeUpdate("INSERT INTO visit_header"
+ "VALUES('"+visitnumber+"','"+date+"','"+cookie+"','"+ip+"')");
I want to know where it is going wrong.
As per initial look, you have a problem in your sql query:
statement2.executeUpdate("INSERT INTO visit_header" + "VALUES
Should be
statement2.executeUpdate("INSERT INTO visit_header " + "VALUES //Note space after header
There was no space between visit_header and VALUES, so your query was like this:
INSERT INTO visit_headerVALUES
Which is wrong.
You forgot to put space between visit_header and values:
statement2.executeUpdate("INSERT INTO visit_header" + " VALUES ('"+visitnumber+"','"+date+"','"+cookie+"','"+ip+"')");
I have problems running this sql statement. It works fine if I run it in mysql but in java I get this error:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '' at line 1
The database has an id(pk) autogenerated, varchar, int, varchar;
Can someone help me?
int i = statement.executeUpdate("INSERT INTO sala values('','"+ nume.getText() + "', "+ Integer.parseInt(capacitate.getText())+ ", '" + sunet.getText()+"'");
Don't just try to fix this code by tweaking the SQL as per adarshr's answer. You have a fundamental security problem here which you should fix right now. You're open to SQL injection attacks due to including user data directly in your SQL.
You should use a PreparedStatement, with the parameters declared as placeholders in the SQL, but then given values separately. Exactly how you'll do that will depend on your JDBC provider, but it'll look something like this:
// TODO: Fix the column names, and close the statement in a try/finally block
PreparedStatement pst = conn.prepareStatement(
"INSERT INTO sala (nume, capacitate, sunet) VALUES (?, ?, ?)");
pst.setString(1, nume.getText());
pst.setInt(2, Integer.parseInt(capacitate.getText()));
pst.setString(3, sunet.getText());
pst.executeUpdate();
Note that if you can get capacite in a way which doesn't require integer parsing, that would be good. Otherwise, consider using NumberFormat which is more locale-friendly. Also note that I've added the column names into the SQL to make this more robust in the face of schema changes.
You haven't closed your query.
int i = statement.executeUpdate("INSERT INTO sala values('','"+ nume.getText() + "', "+ Integer.parseInt(capacitate.getText())+ ", '" + sunet.getText()+"')");
^
But more than all this, you must use PreparedStatement as Jon suggested below.