I wrote a simple SQL query in Oracle which inserts some values.
But I got SQLSyntaxErrorException stating a "missing expression" error.
This my query:
String addManager = "INSERT INTO property_manager(EIN,NAME,HOME_PHONENUMBER,MOBILE_PHONENUMBER,EMAIL,PROPERTY_CIN)" +
"VALUES (" + mein.getText() + "," + mname.getText() +","+ mHome_phonenumber.getText() +","+ MMobile_phonenumber.getText()+"," + memail.getText() + ","+mproperty_cin.getText()+")";
The best solution is using a java.sql.PreparedStatement.
It prevents SQL injection
Escapes invalid characters in your Strings (such as ') and the characters which will break your query
handles null and empty Strings
Uses Oracle's query parsing cache (for better performance)
Handles types such as Date and Blob much easier
Just google for java PreparedStatemnt and you see lots of samples.
You should put your values inside quotes.
String addManager = "INSERT INTO property_manager(EIN,NAME,HOME_PHONENUMBER,MOBILE_PHONENUMBER,EMAIL,PROPERTY_CIN)" +
"VALUES ('" + mein.getText() + "','" + mname.getText() +"','"+ mHome_phonenumber.getText() +"','"+ MMobile_phonenumber.getText()+"','" + memail.getText() + "','"+mproperty_cin.getText()+"')";
Or better yet, use parameters. Otherwise you risk sql injection attack.
Related
Eclipse neon.1 (4.6.1) java;
SQLite 3.8.7 (sqlite-jdbc-3.8.7.jar)
I am attempting to insert customer's data into a table using the following code snippet:
PreparedStatement ps;
insertSQL = "INSERT INTO tbl_TotalPatent "
+ "(Abstract, `Application/Filing Date`, `Application Number`) "
+ "VALUES ("
+ "'" + _field[0] + "', "
+ "'" + _field[1] + "', "
+ "'" + _field[2] + "');";
ps = con.prepareStatement(insertSQL);
ps.execute();
Unfortunately, the client's data has an embedded apostrophe, which I cannot change. The "INSERT INTO" statement bombs out when finding the apostrophe, assuming it is a single quote:
java.sql.SQLException: [SQLITE_ERROR] SQL error or missing database (near "s": syntax error)
I've tried various permutations of the INSERT INTO statement to use different characters for the single quote - to no avail.
I presume there is an "easy" work-around, but I can't find it. The solution is probably posted somewhere on stackoverflow, but I can't find it. Can someone point me in the right direction?
you can replace that apostrophe with an double apostrophe, which is the standard SQL escape sequence for '
simply do that whith the following snippet:
+ "'" + _field[x].replaceAll("'", "''") + "', "
You could also use " instead of ' in your sql statement like the following:
+ "\"" + _field[x] + "\", "
I'm trying to pass the email as a parameter for the SELECT SQL query in my JAVA back-end.
As i understood, for some reason it pass only "email_name" from the "email_name#email.com". (Getting this error):
Threw a SQLException creating the list of blogs.
ERROR: column "email_name" does not exist
Position: 174
There is an existed rows, which contains "email_name#email.com".
(Why "ERROR: column"? according to query it should look for a value, no?)
Here is My query:
String active_user = "email_name#email.com"; //email_name#email.com - example, active_user receive some path variable and on this particular moment(before query execution) contains exactly "email_name#email.com".
ResultSet rs = st.executeQuery("SELECT \n" +
" goods.item_title, \n" +
" goods.item_descr, \n" +
" goods.item_email,\n" +
" goods.item_images,\n" +
" goods.item_phone, \n" +
" goods.item_price \n" +
"FROM \n" +
" public.goods\n" +
"WHERE goods.owner = "+active_user+"\n" +
"ORDER BY\n" +
" goods.item_id ASC;");
So the question is - how to pass full email to query?
Try using String active_user = "'email_name#email.com'";. with single quotes. Since postgre recognized as column when you use double quotes.
You should use PreparedStatement. this is a example
Very unsafe approach, you should use PreparedStatement to avoid SQL injection. Here is existing answer
String sql = "INSERT INTO order " + "(customerid, pant, shirt, date) "
+ "VALUES ('" + jTextField1.getText() + "','" + jTextField2.getText()
+ "','" + jTextField3.getText() + "','" + jTextField4.getText() + "')";
When tried this, I got the following error:
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
'order (customerid, pant, shirt, date) VALUES ('10','2','3','26')' at line 1
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method).
You need to escape reserved words like order with backticks
INSERT INTO `order` (customerid, ...
Besides that I recommend using Prepared Statements.
Table name "order" is reserve word so please change table name and try it.
I've got the following query in my Java code. But when I run it, it says a syntax error in the query.
What am I doing wrong here?
"Inset into department ( dept_name, dept_desc ) values ('" + deptName + "','" + deptDesc + "')"
Its INSERT not Inset . This is a simple typo. Replace the word.
"Inset into department ( dept_name, dept_desc ) values ('" + deptName + "','" + deptDesc + "')"
^^^^^^
For future reference, as a beginner, using an SQL formatter might help point out the error for nagging issues like these.
I get 1-n selected months from a JList.
Now I'd like to select rows from a sqlite DB with the selected months.
Is there a way to do it the easy way to build the select string, e.g. with a loop and a LIKE statement?
resultSet = statement
.executeQuery("SELECT sum(Betrag) FROM record WHERE strftime('%Y',Datum)='"
+ options.getList_years().get(options.getCurrent_year_index())
+ "' AND strftime('%m',Datum) LIKE '"
+ "02 || 04 || 12" //Here are the months,
+ "' AND Sektion LIKE '"
+ "%"
+ "' AND Inhaber LIKE '"
+ list_accounts.getSelectedValue()
+ "' AND Ausgabe='"
+ "true';");
Or has it to look that way?
strftime('%m',Datum)='02' OR strftime('%m',Datum)='04' OR trftime('%m',Datum)='12'
You should use an IN clause:
... AND strftime('%m',Datum) IN ('02', '04', '12')
But you should definitely not use string concatenation to set parameters dynamically in your query. This is the best way to suffer from SQL injection attacks. Use prepared statements, with a ? placeholder for each of your parameter:
SELECT sum(Betrag) FROM record WHERE strftime('%Y',Datum) = ? ...
Learn more about prepared statements in the JDBC tutorial.
You will indeed have to use some loop or utility to build the IN clause. StringUtils from commons-lang is useful here:
"... AND strftime('%m',Datum) IN (" + StringUtils.repeat("?", ", ", months.size())