String req="INSERT INTO NOTIFICATIONS VALUES(6,1,sysdate,'toz',02542,'bporp')(SELECT valide from mouvement where valide=?)";
I want to make a request with Conditions but I get the error:
SQL command not properly ended
You have an invalid SQL query. Here's your current SQL statement:
INSERT INTO NOTIFICATIONS VALUES(6,1,sysdate,'toz',02542,'bporp')(SELECT valide from mouvement where valide=?)
If we split this into several lines for better understanding, you will have this:
INSERT INTO NOTIFICATIONS
VALUES(6,1,sysdate,'toz',02542,'bporp')
(SELECT valide from mouvement where valide=?)
Which is not a valid statement, not even for any SQL tool. That's because you have 2 statements without separating them: an INSERT and then a SELECT, and you're not executing an INSERT INTO <TABLE1> SELECT ... FROM <TABLE2>.
You should execute a single SQL statement per Statement or PreparedStatement. This, in Java, should be done like this:
String sql1 = "INSERT INTO NOTIFICATIONS"
+ " VALUES(6,1,sysdate,'toz',02542,'bporp')";
String sql2 = "SELECT valide from mouvement where valide=?";
Statement stmt = con.createStatement();
stmt.executeUpdate(sql1);
PreparedStatement pstmt = con.prepareStatement(sql2);
pstmt.setString(1, <parameter_value>);
ResultSet rs = pstmt.executeQuery();
Related
I want to pass a bit as one of the parameters in Prepared Statement. My query should look like this :
query = select * from tbl_security_details('user',O::BIT)
I am framing the query as :
query = select * from tbl_security_details(?,?)
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1,"user")
ps.setString(2,"0::BIT")
However, this throws an error.
Can someone explain how I can pass 0::BIT from the prepare statement without it appending the single quote by itself and getting converted to String ?
Write the prepared statement so that the cast is part of the query:
String query = "select * from tbl_security_details(?, ?::bit)";
java.sql.PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, "user");
ps.setString(2, "0");
That is necessary, because you can only pass a constant value to the prepared statement, not an SQL expression.
I only clicked the button once, but the output is 2. I wonder if there is something wrong with my condition in the while loop? Or should I use a different approach?
As you can see in the picture, I entered only one data, but the output, executes the conditions in
if and else;
String pass = PF.getText();
String user = TF.getText();
Connection con = connect.getConnection();
Statement st;
ResultSet rs;
String query = "SELECT username, password FROM users";
try{
st = con.createStatement();
rs = st.executeQuery(query);
while(rs.next()){
if(user.equals(rs.getString(("username")))){
if(pass.equals(rs.getString(("password")))){
System.out.println("Logged In!");
}else{
System.out.println("Error");
}
}else{
System.out.println("Not in the database!");
}
}
st.close();
As per your table, you have two rows. And, you execute following query, it will return two rows.
String query = "SELECT username, password FROM users";
You could add username and password in where clause instead.
PreparedStatement stmt = connection.prepareStatement("SELECT username, password FROM users where username =? AND password=?");
stmt.setString(1, userid);
stmt.setString(2, pass);
Better use PreparedStatement to avoid any sql injection.
In below line you are selecting all the rows in users table
String query = "SELECT username, password FROM users";
You need to limit it to specific one that you want using WHERE clause.
Wikipedia about WHERE clause:
WHERE clauses are not mandatory clauses of SQL DML statements, but can
be used to limit the number of rows affected by a SQL DML statement or
returned by a query. In brief SQL WHERE clause is used to extract only
those results from a SQL statement, such as: SELECT, INSERT, UPDATE,
or DELETE statement.
Like below:
String query = "SELECT username, password FROM users WHERE username = '"+yourVariable+"' password = '"+yourVariable+"'";
I did this using String concatenation. This will lead to SQL injection. So you can use PreparedStatement as #Ravi mentioned.
Oracle doc. about PreparedStatement:
A SQL statement is precompiled and stored in a PreparedStatement
object. This object can then be used to efficiently execute this
statement multiple times.
Also this question may help you.
How to use SQLite function using PreparedStatement?
PreparedStatement stmt;
String query = "insert into Test values(?,?)";
stmt = conection.prepareStatement(query);
stmt.setString(2, "date('now')");
date('now') is the SQLite function I want to use, but it inserts "date('now')" as Text..
One way of achieving this is by changing your sql string, with this you may not need to set the date parameter anymore in your preparedstatement.
String query = "insert into Test values(?,date('now'))";
Now just you need to set the parameter 1
stmt.setString(1, <<param1 value>>);
I'm familiar with using java prepared statements to insert/update on a table. In oracle you can add a comment on a table, how would I use a preparedstatement to do that?
This was my initial attempt with no luck;
PreparedStatement stmt = con.prepareStatement("comment on table my_table is q'[?]'");
stmt.setString(1, description);
stmt.executeUpdate();
You can use system Oracle table and set comment there with PreparedStatement, like this:
PreparedStatement stmt = con.prepareStatement(
"UPDATE user_tab_comments SET comments = ? WHERE table_name = 'my_table'");
Or try to use simple statement:
String commentOnTableSQL = String.format("COMMENT ON TABLE my_table is '%s'", comment);
Statement statement = dbConnection.createStatement();
statement.execute(commentOnTableSQL);
Following is my code line :
ResultSet rs3 = stmt6.executeQuery("SELECT * FROM ShopSystem.Order where s_id="+s_id+" AND status="+Pending);
I am getting the following error :
Unknown column 'Pending' in 'where clause'
What could be the reason... I cant get through it..
No doubt, status is a string, so it needs to be compared to a string. Use delimiters:
SELECT * FROM ShopSystem.Order where s_id="+s_id+" AND status='"+Pending+"'"
Or better yet, learn how to write code that uses parameter substitution for putting parameter values into SQL strings.
Change it to
AND status = '" + Pending + "'"
You need to put the string in quotes. Otherwise the DB thinks you mean a column name.
But actually you should use Prepared Statements. Then you don't need to patch the queries together like this and you don't worry about parameters and escaping them...
Don't make concatenation ! Use prepared statements
PreparedStatement stm = conn.prepareStatement("SELECT * FROM ShopSystem.Order where s_id = ? AND status = ?");
stm.setInt(1, s_id);
stm.setString(2, Pending.name());
ResultSet rs = stm.executeQuery();
you must use the PreparedStatement in this case
// use the ? for the 2 entries values
String selectSQL = new String("SELECT * FROM ShopSystem.Order where s_id=? AND status=?")
preparedStatement = dbConnection.prepareStatement(selectSQL);
// in order you must incialise them here
preparedStatement.setString(1, "s_id");
preparedStatement.setString(2, "Pending");
//execute your resultset `enter code here`
ResultSet rs = preparedStatement.executeQuery();