I am trying to move all query executions from Statement to PreparedStatement due to SQL injection. My original issue was with update statement, but I wanted to try it with select statement as well. When I execute the below line of code, the statement returns nothing.
String selectQuery = "select is_enabled, syllabus_id from ic_syllabus where syllabus_id=?";
PreparedStatement pstmt = conn.prepareStatement(selectQuery);
pstmt.setString(1, "25AC1CFB7C1A2CF07F176BD3A296F229");
ResultSet rs = pstmt.executeQuery();
while(rs.next()){
String flag = rs.getString(1);
String sybsId = rs.getString(2);
}
I am using Oracle database and am not getting any exceptions either.
Related
I have sql query which is shown below its a select statement I want to pass dynamically the values but I am not aware how can we do it .here I want to pass product and location dynamically
can anyone help in this ..
public static ResultSet RetrieveData() throws Exception {
PreparedStatement statement;
String sql = "select * FROM Courses WHERE "
+ "product = product? "
+ "and location = location? ";
System.out.println(sql);
DriverManager.registerDriver(new com.mysql.cj.jdbc.Driver());
String mysqlUrl = "jdbc:mysql://localhost:3306/wave1_build";
Connection con = DriverManager.getConnection(mysqlUrl, "root", "root");
statement = con.prepareStatement(sql);
ResultSet rs = statement.executeQuery(sql);
return rs;
One approach is to use plain ? placeholders along with the appropriate setters to bind values:
String sql = "SELECT * FROM Courses WHERE product = ? AND location = ?";
statement = con.prepareStatement(sql);
statement.setString(1, "some product");
statement.setString(2, "some location");
// NOTE: executeQuery() when used with prepared statements does NOT take any parameters
ResultSet rs = statement.executeQuery();
My code looks as follows:
ResulSet rs = stmt.executeQuery("select passwd from mrs_user where email="+mail_id);
String usr_paswd = rs.getString(1);
But the error is as follows:
java.sql.SQLException: ORA-04054: database link G.COM does not exist
mail_id=dk#g.com
First, String should be between to quotes 'mail_id', but this way is not secure it can cause SQL Injection or syntax error instead you can use PreparedStatement.
Second, you still not get any result, you have to call rs.next() before to moves the cursor to the next row (read about Retrieving and Modifying Values from Result Sets).
Code example
String usr_paswd = null;
try (PreparedStatement stmt = connection.prepareStatement(
"select passwd from mrs_user where email=?")) {
stmt.setString(1, mail_id);
ResulSet rs = stmt.executeQuery();
if(rs.next()){
usr_paswd = rs.getString(1);
}
}
When I debug, I get this error :
Column 'place1' not found.
I was able to verify that it has column place1 in sql.
Is it because I can not have two database connection in one function? I am unsure on how to further debug the problem.
Case.java
System.out.println("The highest value is "+highest+"");
System.out.println("It is found at index "+highestIndex+""); // until now it works fine
String sql ="Select Day from menu where ID =?";
DatabaseConnection db = new DatabaseConnection();
Connection conn =db.getConnection();
PreparedStatement ps = conn.prepareStatement(sql);
ps.setInt(1, highestIndex);
ResultSet rs = ps.executeQuery();
if (rs.next())
{
int kb=rs.getInt("Day");
System.out.println(kb);
if(kb==k) // k is a value getting from comboBox
{
String sql1 ="Select * from placeseen where ID =?";
DatabaseConnection db1 = new DatabaseConnection();
Connection conn1 =db1.getConnection();
PreparedStatement ps1 = conn.prepareStatement(sql);
ps.setInt(1, highestIndex);
ResultSet rs1 = ps.executeQuery();
if (rs1.next())
{
String aaa=rs1.getString("place1");
String bbb=rs1.getString("place2");
Tourism to =new Tourism();
to.setPlace1(aaa);
to.setPlace2(bbb);
DispDay dc=new DispDay();
}
ps1.close();
rs1.close();
conn1.close();
}
else
{
System.out.print("N");
System.out.println("Sorry!!!");
}
}
ps.close();
rs.close();
conn.close();
Trace your code to see where you're getting the data. The error is on this line:
String aaa=rs1.getString("place1");
Where does rs1 come from?:
ResultSet rs1 = ps.executeQuery();
Where does ps come from?:
PreparedStatement ps = conn.prepareStatement(sql);
Where does sql come from?:
String sql ="Select Day from menu where ID =?";
There's no column being selected called place1. This query is only selecting a single column called Day.
Maybe you meant to get the result from the second prepared statement?:
ResultSet rs1 = ps1.executeQuery();
There are probably more such errors. Perhaps several (or many) more. Because...
Hint: Using meaningful variable names will make your code a lot easier to follow. ps, ps1, rs1, etc. are very easy to confuse. Name variables by the things they conceptually represent and your code starts to read like a story which can be followed. Variable names like daysQuery and daysResults and placesResults make it more obvious that something is wrong when you try to find a "place" in a variable which represents "days".
In your second query:
PreparedStatement ps1 = conn.prepareStatement(sql);
you are accidentally using the variable sql instead of your previously defined sql1. Replace it and it will be ok.
I need to execute this SQL code:
exec procedure(param, param, param, param)
select * from bla_bla_table;
commit;
And get a ResultList from this query.
I tried to do it like this:
CallableStatement stmt = connection.prepareCall("{call procedure(param,param,param,param)}");
stmt.execute();
How can I insert sql statement select * from bla_bla_table; here before commit to get the ResultSet. I tried a lot of ways to do that... but nothing helps.
Did you try this?
connection.setAutoCommit(false); // Disable Auto Commit
CallableStatement stmt = connection.prepareCall("{call procedure(param,param,param,param)}");
stmt.execute();
Statement stmt2 = connection.createStatement();
ResultSet rs = stmt2.executeQuery("select * from bla_bla_table"); // Result set for Query
connection.commit();
Add this code after the execution of your code.
PreparedStatement prep = connection.prepareStatement(string);
ResultSet rs = prep.executeQuery();
// now iterate the resultset.
Before everything you should make sure that you run a transaction by setting the autocommit option of the connection to false.
connection.setAutoCommit(false);
String poster = "user";
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM `prices` WHERE `poster`="+poster);
This does not work.Any tips or tricks would be appreciated.
Try surrounding the poster variable with single quotes, like this:
ResultSet rs = stmt.executeQuery("SELECT * FROM `prices` WHERE `poster`='"+poster+"'");
That's because SQL expects strings to be surrounded by single quotes. An even better alternative would be to use prepared statements:
PreparedStatement stmt = con.prepareStatement("SELECT * FROM `prices` WHERE `poster` = ?");
stmt.setString(1, poster);
ResultSet rs = stmt.executeQuery();
It's recommended using PreparedStatement since the way you are currently building the query (by concatenating strings) makes it easy for an attacker to inject arbitrary SQL code in a query, a security threat known as a SQL injection.
1) In general, to "parameterize" your query (or update), you'd use JDBC "prepared statements":
http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
2) In your case, however, I think all you need to do is add quotes (and lose the back-quotes):
// This is fine: no back-quotes needed
ResultSet rs = stmt.executeQuery("SELECT * FROM prices");
// Since the value for "poster" is a string, you need to quote it:
String poster = "user";
Statement stmt = con.createStatement();
ResultSet rs =
stmt.executeQuery("SELECT * FROM prices WHERE poster='" + poster + "'");
The Statement interface only lets you execute a simple SQL statement with no parameters. You need to use a PreparedStatement instead.
PreparedStatement pstmt = con.prepareStatement("
select * from
prices where
poster = ?");
pstmt.setString(1, poster);
ResultSet results = ps.executeQuery();