Develop Reference

Code throws SQLException but SQL code execute successful [duplicate]

I have a Java-code:
String searchPerson = "select * from persons where surname like ? and name like ?";
//connect to DB
PreparedStatement statement = connect.prepareStatement(searchPerson);
statement.setString(1,"%"+ surname + "%");
statement.setString(2, "%" + name + "%");
ResultSet resultPerson = statement.executeQuery(searchPerson);
//..code
Then I have SQLException:
you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?'

You should execute the PrepareStatement with no parameters as follows:
statement.executeQuery()
Calling executeQuery with a String parameter will execute the provided query as is (without the bound parameters).

ResultSet resultPerson = statement.executeQuery(searchPerson);
should be
ResultSet resultPerson = statement.executeQuery();

Try with statement.setString(1,"'%"+ surname + "%'");

How to convert " ' " to " ` " in java

The syntax that from the java code is not applicable to mysql. The setString() from java will come out with ' and not ` which is not accepted in mysql.
I tried in my localhost to run the code, it really not accepting 'doctor' and only accept ``doctor`.
Below are my code:
PreparedStatement ps = con.prepareStatement("SELECT id FROM ? WHERE id = ?");
ps.setString(1, "doctor");
ps.setInt(2, 123);
ResultSet rs = ps.executeQuery();
and there is an error
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''doctor' WHERE id = 123' at line 1

It's because your code produces following query:
SELECT id FROM 'doctor' WHERE id = 123
As you can see table name is used as a String which is invalid SQL Syntax, so you can either hard code table name and or if you really want it to be dynamic you can achieve it like:
String sql = String.format("SELECT id from %s where id = ?", tblName);
PreparedStatement ps = con.prepareStatement(sql);
ps.setInt(1, 123);
ResultSet rs = ps.executeQuery();

PreparedStatement execution says MySQLSyntaxErrorException although works in MySQL console

I've written the following code (snippet):
conn = Pooling.getDataSource().getConnection();
String databaseName = Configuration.getDatabaseName();
String sql = "SELECT * FROM " + databaseName + ".companies WHERE companyemail = ? AND companypassword = MD5(?)";
PreparedStatement prepStat = conn.prepareStatement(sql);
prepStat.setString(1, username);
prepStat.setString(2, password);
System.out.println("LoginService: prepStat = " + prepStat.toString());
ResultSet rs = prepStat.executeQuery(sql);
...
Now, when I execute this, I'm getting a MySQLSyntaxErrorException. The prepStat.toString() prints:
SELECT * FROM dbname.companies WHERE companyemail = 'comp#comp.com' AND companypassword = MD5('passwort')
And a simple copy and paste to SequelPro successfully return a result.
However, the backend still claims that there is an error in the syntax:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '? AND companypassword = MD5(?)' at line 1
Maybee I'm blind but I do not see an error here? But what is happening here?

Okay, I found out what the problem was. I used:
ResultSet rs = prepStat.executeQuery(sql);
However, I should have used
ResultSet rs = prepStat.executeQuery();
instead.

Try this:
String sql = "SELECT * FROM '" + databaseName + ".companies' WHERE companyemail=? AND companypassword = MD5(?)";
Notice the single quote before the databaseName variable and after .companies . I think that could be the problem.
Or you could do this:
String sql = "SELECT * FROM ? WHERE companyemail =? AND companypassword = MD5(?)";
PreparedStatement prepStat = conn.prepareStatement(sql);
prepStat.setString(1, databaseName);
prepStat.setString(2, username);
prepStat.setString(3, password);
I believe the problem is at the level of parsing the databaseName to the prepared statement.

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException | JAVA

i want to get the Number of Entries in a table in My java Project.
This is my code:
int count = 0;
Statement st = Mysql.con.createStatement();
ResultSet rs= st.executeQuery("select count(*) from keys where spieler =" +p.getName());
while (rs.next()){
count = rs.getInt(1);
}
I am getting following SQLEXCEPTION:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your
SQL syntax; check the manual that corresponds to your MySQL server version for the
right syntax to use near 'keys where spieler =Pit910' at line 1
What is worng?
Thanks!

keys is a reserved MySQL keyword which needs to be escaped (either that or ALTER the table to give it a different name). Try this
PreparedStatement preparedStatement =
con.prepareStatement("select count(*) from `keys` where spieler = ?");
preparedStatement.setString(1, p.getName());
ResultSet rs= preparedStatement.executeQuery();
...

Use quotes around text field values,
You can optionally use backtick around field name or use table_name.field_name
ResultSet rs= st.executeQuery("select count(*) from
`keys` where spieler = '" + p.getName() + "' ");

How to escape user-supplied parameters with a SQL query?

Trying to get started with JDBC (using Jetty + MySQL). I'm not sure how to escape user-supplied parameters in a SQL statement. Example:
String username = getDangerousValueFromUser();
Statement stmt = conn.createStatement();
stmt.execute("some statement where username = '" + username + "'"));
How do we escape "username" before use with a statement?

Use Prepared statement.
for example :
con.prepareStatement("update Orders set pname = ? where Prod_Id = ?");
pstmt.setInt(2, 100);
pstmt.setString(1, "Bob");
pstmt.executeUpdate();
It will prevent raw SQL injection
If you want to escape sql string then check for StringEscapeUtils.escapeSql(). Note that that this method was deprecated in Commons Lang 3.
Also See
does-using-preparedstatement-mean-there-will-not-be-any-sql-injection