I am trying to make a connection to a database and then run an INSERT INTO query, but when the code runs, i get the error: com.microsoft.sqlserver.jdbc.SQLServerException: Invalid column name 'BLUE'.
As you can see in my code below, i give "BLUE" as an value instead of an column name. Does anyone knows what i am doing wrong? p.s. color is an Enum, all the other values are doubles.
String query = "INSERT INTO [oval] " +
"(anchorX, anchorY, width, height, weight, color) VALUES " +
"(" + drawingItem.getAnchor().getX() +
", " + drawingItem.getAnchor().getY() +
", " + drawingItem.getWidth() +
", " + drawingItem.getHeight() +
", " + ((Oval) drawingItem).getWeight() +
", " + drawingItem.getColor().toString() + ")";
initConnection();
Statement myStmt = con.createStatement();
rowsAffected = myStmt.executeUpdate(query);
closeConnection();
EDIT ANSWER:
String query = "INSERT INTO [oval] VALUES (?,?,?,?,?,?)";
initConnection();
PreparedStatement myPrepStmt = con.prepareStatement(query);
myPrepStmt.setDouble(1, drawingItem.getAnchor().getX());
myPrepStmt.setDouble(2, drawingItem.getAnchor().getY());
myPrepStmt.setDouble(3, drawingItem.getWidth());
myPrepStmt.setDouble(4, drawingItem.getHeight());
myPrepStmt.setDouble(5, ((Oval)drawingItem).getWeight());
myPrepStmt.setString(6, drawingItem.getColor().toString());
rowsAffected = myPrepStmt.executeUpdate();
closeConnection();
As suggested, use parametrized query to prevent SQL injection. As for the problem in hand, you must use single quote to each string values.
Ex:
"('" + drawingItem.getAnchor().getX() +
"', '" +
Correct way would be:
String query = "INSERT INTO [oval] " +
"(anchorX, anchorY, width, height, weight, color) VALUES " +
"(?, ?, ?, ?, ?, ?)";
initConnection();
int i = 1;
Statement myStmt = con.prepareStatement(query);
myStmt.setInt(i++, drawingItem.getAnchor().getX());
myStmt.setInt(i++, drawingItem.getAnchor().getY());
myStmt.setString(i++, drawingItem.getWidth());
myStmt.setString(i++, drawingItem.getHeight());
myStmt.setFloat(i++, ((Oval) drawingItem).getWeight());
myStmt.setString(i++, drawingItem.getColor().toString());
rowsAffected = myStmt.executeUpdate();
Related
I am using an insert query for a CallableStatement. This is my query as a String:
String strInsert = "INSERT INTO this_table (loc_nbr, rpt_nbr, rpt_type, office_code, date_submitted, rpt_seq, alcohol, drugs, cyber, priority) VALUES (?, ?, ?, 'HOME', sysdate, ?, ?, ?, ?, ?);";
The CallableStatement I am using is:
CallableStatement cs = Connection.prepareCall(strInsert);
cs.setString(1, "'" + strLocationNumber + "'");
cs.setString(2, "'" + strReportNumber + "'");
cs.setString(3, "'" + strReportType + "'");
cs.setString(6, "'" + strReportSeq + "'");
cs.setString(7, "'" + strAlcohol + "'");
cs.setString(8, "'" + strDrugs + "'");
cs.setString(9, "'" + strCyber + "'");
cs.setString(10, "'" + strPriority + "'");
cs.execute();
Upon running this, I get a java.sql.SQLException: Invalid column index
I am currently using Oracle for the database and I would like to exactly why am I receiving this error.
This is the indication that the table structure and the insert statement via Callable has a mismatch in the columns available and provided in query
Java wraps this exception to get more insight on the callable/prepared/sql statement.
The placeholder index correction is needed check for the ? and then move your hardcoded value to the far end from in-between like HOME and sysdate and then the continuity of the placeholder index would work well.
String strInsert = "INSERT INTO this_table (loc_nbr, rpt_nbr, rpt_type, rpt_seq, alcohol, drugs, cyber, priority,office_code,date_submitted) VALUES (?, ?, ?, ?, ?, ?, ?, ?,'HOME', sysdate,);";
CallableStatement cs = Connection.prepareCall(strInsert);
cs.setString(1, "'" + strLocationNumber + "'");
cs.setString(2, "'" + strReportNumber + "'");
cs.setString(3, "'" + strReportType + "'");
cs.setString(4, "'" + strReportSeq + "'");
cs.setString(5, "'" + strAlcohol + "'");
cs.setString(6, "'" + strDrugs + "'");
cs.setString(7, "'" + strCyber + "'");
cs.setString(8, "'" + strPriority + "'");
cs.execute();
The setString() index number is supposed to refer to the n'th occurrence of the ? placeholder.
Your query has two hardcoded values
'HOME', sysdate
they are not counted as placeholder indexes.
I am trying to read from a mysql table and I am doing the following:
protected void pushRegisteredStudentsData() {
try {
conn = (Connection) DriverManager.getConnection(DB_URL, USER, PASS);
stmt = conn.createStatement();
String userID = "SELECT * FROM STUDENT";
rs = stmt.executeQuery(userID);
while (rs.next()) {
int id = rs.getInt("ID");
this.studentID = id;
String insertSql = "INSERT INTO REGISTEREDSTUDENTS(StudentID, ModuleCode) VALUES ('" + studentID + "', + '"
+ this.moduleCode + "')";
System.out.println("Inserting into REGISTEREDSTUDENTS.. [" + id + "]" + "[" + this.moduleCode + "]");
stmt.executeUpdate(insertSql);
}
} catch (SQLException e) {
}
}
..but for some reason,
while (rs.next()) {
int id = rs.getInt("ID");
always returns the same ID, even though the table has different ID's on every line!
Does anyone have an idea why that might be?
Thank you in advance! :(
EDIT:
I was using a single statement to execute 2 updates, which was causing the problem!
It is a bit weird that it returns always the same value because it should only return the first value ONCE.
If you print the stacktrace instead of just catching the exception and doing nothing, you will see that it will print something like:
java.sql.SQLException: Operation not allowed after ResultSet closed
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1073)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:987)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:982)
at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:927)
at com.mysql.jdbc.ResultSetImpl.checkClosed(ResultSetImpl.java:794)
You are using THE SAME statement for a Select and then for an Insert. This causes the resultSet that is "attached" to the Statement to close because it is not supposed to be used again.
It can be easily fixed by creating another statement:
String insertSql = "INSERT INTO REGISTEREDSTUDENTS(StudentID, ModuleCode) VALUES ('" + studentID + "', + '"
+ this.moduleCode + "')";
System.out.println("Inserting into REGISTEREDSTUDENTS.. [" + id + "]" + "[" + this.moduleCode + "]");
Statement stmt2 = conn.createStatement();
stmt2.executeUpdate(insertSql);
Basically I'm trying to update a Database table with the values of a getSelectRow. As you can see, the query finds the correct data, but has huge issues when actually trying to add it to the database.
The error is in the SQL syntax, but I don't know where I'm going wrong. Please Help.
This is the query that it executes, but I have no idea why it isn't updating the table.
INSERT INTO customerdetails
FName = 'Tim'
AND SName = 'Cooley'
AND Address = '52 Buckminster Drive Dorridge Solihull West Mids'
AND Postcode = 'B93 8PG'
Java code:
private void sendBtnMouseClicked(java.awt.event.MouseEvent evt) {
// TODO add your handling code here:
int insertRow = newOrderTbl.getSelectedRow();
int col2 = 0;
String sql3 = "INSERT INTO customerdetails VALUES "
+ "FName = '" + newOrderTbl.getValueAt(insertRow, col2) +"'"
+ "AND SName = '" + newOrderTbl.getValueAt(insertRow, col2+1) +"'"
+ "AND Address = '" + newOrderTbl.getValueAt(insertRow, col2+2) +"'"
+ "AND Postcode = '" + newOrderTbl.getValueAt(insertRow, col2+3) +"'";
System.out.println(sql3);
try{
pst = conn.prepareStatement(sql3);
pst.executeUpdate(sql3);
JOptionPane.showMessageDialog(null, "Deleted");
CustomerTable();
}
catch (Exception e){
JOptionPane.showMessageDialog(null, e);
}
}
To begin with, your SQL syntax is wrong (at least that it is a non-standard SQL syntax for your database engine). Second, your code is vulnerable to SQL Injection attack.
In order to solve both problems, you should use a PreparedStatement (that you're doing in the wrong way). A basic example from your code:
String sql = "INSERT INTO customerdetails (FName, SName, Address, Postcode) VALUES (?, ?, ?,?)";
PreparedStatement pst = conn.prepareStatemtnt(sql);
pst.setString(1, newOrderTbl.getValueAt(insertRow, col2));
pst.setString(2, newOrderTbl.getValueAt(insertRow, col2+1));
pst.setString(3, newOrderTbl.getValueAt(insertRow, col2+2));
pst.setString(4, newOrderTbl.getValueAt(insertRow, col2+3));
pst.executeUpdate();
//rest of code...
Assuming your SQL syntax will work, then you should pass the values as parameters, similar to the previous example:
String sql3 = "INSERT INTO customerdetails VALUES "
+ "FName = ?"
+ "AND SName = ?"
+ "AND Address = ?"
+ "AND Postcode = ?"
pst = conn.prepareStatement(sql3);
pst.setString(1, newOrderTbl.getValueAt(insertRow, col2));
pst.setString(2, newOrderTbl.getValueAt(insertRow, col2+1));
pst.setString(3, newOrderTbl.getValueAt(insertRow, col2+2));
pst.setString(4, newOrderTbl.getValueAt(insertRow, col2+3));
pst.executeUpdate();
//rest of code...
for update statement it will be -
String sql3 = "INSERT INTO customerdetails(FName,SName,Address,Postcode) VALUES "
+ " '" + newOrderTbl.getValueAt(insertRow, col2) +"',"
+ " '" + newOrderTbl.getValueAt(insertRow, col2+1) +"',"
+ " '" + newOrderTbl.getValueAt(insertRow, col2+2) +"',"
+ " '" + newOrderTbl.getValueAt(insertRow, col2+3) + "')";
Also you should use PreparedStatement for this.
Thanks
Please change it to
String sql3 = "INSERT INTO customerdetails(FName,SName,Address,Postcode) VALUES ("
+ "'" + newOrderTbl.getValueAt(insertRow, col2) +"'"
+ "'" + newOrderTbl.getValueAt(insertRow, col2+1) +"'"
+ "'" + newOrderTbl.getValueAt(insertRow, col2+2) +"'"
+ "'" + newOrderTbl.getValueAt(insertRow, col2+3) +"')";
The generated insert statement in your code seems invalid. Please see SQL Insert Statement for more information
Also, the better approach would be to create a dedicated Serverside DAO class to handle database operations.
I have the following string which holds the query I want to execute:
query = "UPDATE inventario"
+ " set descripcion = '" + descripcion + "',"
+ " set bodega = '" + bodega + "'"
+ " where codigo = " + codigo;
I get an Update statement syntax error but I dont see where is the error. Any help is appreciated.
columns "descripcion" and "bodega" are text type columns.
Well it's probably because you've got multiple set parts instead of using comma separation, and potentially because you don't have quotes around the codigo value (if that's another string)... but I'd strongly advise you not to create SQL like this anyway, with values directly in the SQL.
Instead, use a prepared statement:
String sql = "UPDATE inventario set descripcion=?, bodega=? where codigo=?";
PreparedStatement st = conn.prepareStatement(sql);
st.setString(1, descripcion);
st.setString(2, bodega);
st.setString(3, codigo);
Using prepared statements has three immediate benefits:
It avoids SQL injection attacks (think about what happens if your description has a quote in it)
It separates code (SQL) from data (the values)
It means you avoid conversions for types like datetime, where going via a string representation is a huge potential source of error
Remove extra SET on your query.
query = "UPDATE inventario"
+ " set descripcion = '" + descripcion + "',"
+ " bodega = '" + bodega + "'"
+ " where codigo = " + codigo;
but that query is vulnerable with SQL Injection. Please parameterize your query.
Example,
String query = "UPDATE inventario" +
" set descripcion = ?, bodega = ? " +
" where codigo = ?";
PreparedStatement prep = connection.prepareStatement(query);
prep.setString(1, descripcion);
prep.setString(2, bodega);
prep.setInt(3, codigo);
prep.executeUpdate();
SET keyword is needed only once. Multiple columns that are being updated should be separated by commas, as in the below statement.
query = "UPDATE inventario"
+ " set descripcion = '" + descripcion + "',"
+ " bodega = '" + bodega + "'"
+ " where codigo = " + codigo;
BTW, it is highly recommended to use PreparedStatement for such operations instead of forming the query like this to avoid SQL Injection attacks.
query = "UPDATE inventario"
+ " set descripcion = ?, bodega = ? "
+ " where codigo = ?";
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, descripcion);
ps.setString(2, bodega);
ps.setInt(3, codigo);
int updateCount = ps.executeUpdate();
1.How do I use PrepareStatement for familyname and givenname?
2.Also, how do I case insensitive search by familyname or givenname?
String query ="SELECT agent.familyname, agent.givenname" +
" FROM agent" +
" WHERE agent.agentid = piececreation.agentid" +
" AND (LOWER(familyname) = '"+agent_lastname+"' OR LOWER(givenname) = '"+agent_name+"') ORDER by familyname";
PreparedStatement pst = conn.prepareStatement(query, Statement.RETURN_GENERATED_KEYS);
pst.setString(1, agent_lastname);
pst.setString(2, agent_name);
// Executing the insert
pst.executeUpdate();
Make familyName or givenName to lowercase too since you are already using LOWER DB API
String query ="SELECT agent.familyname, agent.givenname" +
" FROM agent" +
" WHERE agent.agentid = piececreation.agentid" +
" AND (LOWER(familyname) = '"+agent_lastname.toLowerCase()+"' OR LOWER(givenname) = '"+agent_name.toLowerCase()+"') ORDER by familyname";
When you are using PreparedStatement dont append values directly in your SQL, if you do that you are prone to SQL Attack instead parametrize your values.
String query =
"SELECT agent.familyname, agent.givenname"
+ " FROM agent"
+ " WHERE agent.agentid = ?"
+ " AND ("
+ " LOWER(familyname) = ? OR LOWER(givenname) = ?"
+ ") "
+ " ORDER by familyname";
pst.setInt(1, piececreation.agentid);
pst.setString(2, agent_lastname.toLowerCase());
pst.setString(3, agent_name.toLowerCase());
Then set values calling appropriate setXXX methods as defined here.
You can read tutorial here
You can use the following query for caseinsensetive search.
String query =
"SELECT agent.familyname, agent.givenname"
+ " FROM agent"
+ " WHERE agent.agentid = ?"
+ " AND ("
+ " familyname ilike ? OR givenname ilike ?"
+ ") "
+ " ORDER by familyname";
pst.setInt(1, piececreation.agentid);
pst.setString(2, agent_lastname.toLowerCase());
pst.setString(3, agent_name.toLowerCase());