MySQLSyntaxErrorException in query - java

session.getAttribute('loginId')//giving 1
ResultSet rs=st.executeQuery("select * from interest where loginid='session.getAttribute('loginId')'");
or
ResultSet rs=st.executeQuery("select * from interest where loginid='session.getAttribute("loginId")'");
this is giving me sql Exception.
what wrong in my query? while-
ResultSet rs=st.executeQuery("select * from interest where loginid='1'");
is running fine.
I cant call this by storing loginId in String Object.
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'loginId')'' at line 1

Pass in the value returned from getAttribute rather than the literal value session.getAttribute('loginId')
PreparedStatement preparedStatement =
conn.prepareStatement("select * from interest where loginid=?");
preparedStatement.setString(1, session.getAttribute("loginId"));

You have to concat the strings. Not inclusing the parameter in one string:
change to:
ResultSet rs=st.executeQuery("select * from interest where loginid='"+session.getAttribute("loginId")+"'");
Or better use prepared statements. It prevents you for sql injection ans your query will be much more easier to read.

Related

error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? or tel=?' at line 1

Here's my query:
select *
from reg
where indexno=?
or tel=?
And here's my code:
Class.forName("com.mysql.cj.jdbc.Driver");
Connection con =DriverManager.getConnection("jdbc:mysql://url","unam","pass");
String query = "select * from reg where indexno= ? or tel=?";
PreparedStatement ps = con.prepareStatement(query);
ps.setString(1, in.getText());
ps.setString(2, tl.getText());
Statement st = con.createStatement();
ResultSet rs = st.executeQuery(query);
Let's take a closer look at what your code is doing.
Connecting to the database:
Connection con =DriverManager.getConnection("jdbc:mysql://url","unam","pass");
Creating the SQL query:
String query = "select * from reg where indexno= ? or tel=?"`;
Creating a prepared statement:
PreparedStatement ps = con.prepareStatement(query);
Setting some bind parameter values:
ps.setString(1, in.getText());
ps.setString(2, tl.getText());
Creating a whole new non-prepared statement (wait, what? Why are we not using the prepared statement we spent some time creating?):
Statement st = con.createStatement();
Using the new non-prepared statement to execute the SQL query.
ResultSet rs = st.executeQuery(query);
As a result of the last two lines, your SQL query is sent straight to the MySQL database. MySQL doesn't understand what the ? marks are for, and hence complains with a syntax error about them.
When handling prepared statements, JDBC drivers will either replace the ? marks with the database's own syntax for bind parameters (unless the database supports ? marks directly, but not all databases do), or put the values directly in the SQL string after suitable escaping of any characters, before they send the SQL to the database. Statements don't support bind parameters, and will just send the SQL string they are given straight to the database.
Your code creates a PreparedStatement and sets two bind parameter values. It seems a shame not to actually use your prepared statement once you've created it. You can get the result set you want out of it by calling ps.executeQuery(). There is no need for the separate Statement you created by calling connection.createStatement().
The fix therefore is to remove the last two lines of the code in your question and add the following line in place of them:
ResultSet rs = ps.executeQuery();

SQL error with JDBC, parameter out of range [duplicate]

I am trying to use the java mysql library but I am having issues using a prepared statement. I am not sure what I am missing. Below is what I have with the MYSQL error attempting to use the prepared statement.
String query = "SELECT id, clicks FROM mailer.links WHERE campaign_id=?";
try {
preparedStatement = connect.prepareStatement(query);
preparedStatement.setInt(1, campaignId);
preparedStatement.execute();
Statement st = connect.createStatement();
// execute the query, and get a java resultset
ResultSet rs = st.executeQuery(query);
I am getting the following error:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '?' at line 1
It works if I do "campaign_id=" + campaignId , but is a SQL injection waiting to happen.
Try this
ResultSet rs = preparedStatement.executeQuery();
PreparedStatement method executeQuery() itself returns a ResultSet object
So assign this to a ResultSet object
ResultSet rs = preparedStatement.executeQuery();
Error:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException:
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '?' at line 1
And this error happens because When
ResultSet rs = st.executeQuery(query);
This statement executes it can't find any value in ? operator.
so your query remains this "SELECT id, clicks FROM mailer.links WHERE campaign_id=?"; and this throws a MySQL Syntax Exception.

Updated: Problem with executing SQL query from Java

Updated:
so as per the suggestions i changed all the column name to strings and added prepared statements-
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/minor","root","alphabet")) {
Statement st = conn.createStatement();
PreparedStatement stmt= conn.prepareStatement("select * FROM ? where name=? ;");
PreparedStatement stmt2= conn.prepareStatement("select * FROM ? where name=? ;");
stmt.setString(1, day_1);
stmt.setString(2, faculty1);
stmt2.setString(1,day_1);
stmt2.setString(2, faculty2);
ResultSet rs=stmt.executeQuery();
ResultSet rs1= stmt.executeQuery();
The day and faculty is retrieved from input screen, the queries work just fine in mysql workbench but the 'select' keyword goes missing when i try to run it from Java, see the following error-
The faculty1, faculty2 is retrieved from the following-
The database looks like this-
I would recommend to use PreparedStatement instead of Statement, then at least you can bind your variables;
You query select from time_interval from day_selected is not correct, I don't think that it will execute anywhere, you need to have something between select and from, and not two from in one statement.

Using MySQL select in Java as String

I have problem with executing query in my Java program. Here is the code:
String selected=offersList.getSelectedValue();
String sql="SELECT * from outcoming_offers where about='"+selected+"'";
pst=con.prepareStatement(sql);
rs=pst.executeQuery();
And when there is single quotes in 'selected' - it is giving me an error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near.....
So I understand why there is error but I am wondering how to make this work. Are there any other ways except concat()?
It's always better approach is to use prepared statements instead of raw SQL string concatenation.
From your example you should write prepared query like below (parameter to pass are replaced with question marks):
String sql="SELECT * from outcoming_offers where about=?";
PreparedStatement ps = con.preparedStatement(sql);
And then just inject parameter values and execute query:
ps.setString(1, selected);
ResultSet rs = ps.executeQuery();
Thanks to this approach you don't have to deal with SQL query string and single quotes, which is very often error-prone and also (very important) your code is not expose to SQL Injection attacks.
More info in documentation: https://docs.oracle.com/javase/8/docs/api/java/sql/package-summary.html
You are using a Prepared Statement but not passing the required parameter as you should. Change the statement to this:
String sql="SELECT * from outcoming_offers where about=?";
and then pass the parameter:
pst=con.prepareStatement(sql);
pst.setString(1, selected);
This way you set selected as the 1st parameter of the Prepared Statement.
Now you can execute the query:
rs=pst.executeQuery();

Syntax error in delete statement

I am trying to delete the record from my "student" table, the table has two column rollno and student name.
I am using a PreparedStatement but I am getting some error. I could not understand the error. The error is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1
here is my code
String query = "delete from student where rollno = ?";
PreparedStatement pst = con.prepareStatement(query);
pst.setInt(1, 7);
pst.executeUpdate(query);
Likely you are calling the execute like this:
pst.executeUpdate(query);
This will execute the raw query, without the parameter you set before.
You want to execute the prepared query instead, so just use:
pst.executeUpdate();

Categories

Resources