I need to insert some data into a table. When program executes to insert, there may arise an error because I haven't created the table. I would like to create that table in a catch block and return to try block. So whenever the table is deleted or happens to delete, the try catch will build the table.
I have written some code for it, but it fails.
import java.sql.*;
/**
*
* #author JOJO
*/
public class ConnectDB {
static Connection conn;
static String driver = "org.apache.derby.jdbc.ClientDriver";
static String connectionURL = "jdbc:derby://localhost:1527/Libraryprj;user=scott;password=tiger";
public void AddBookDB(String bookName) throws SQLException {
String createString = "CREATE TABLE BOOKLEDGER (BOOKNAME VARCHAR(50) NOT NULL)";
try {
Class.forName(driver);
} catch (java.lang.ClassNotFoundException e) {
e.printStackTrace();
}
try
{
conn = DriverManager.getConnection(connectionURL);
Statement stmt = conn.createStatement();
boolean execute = stmt.execute("insert into BOOKLEDGER values ('" + bookName + "')");
stmt.close();
}
catch (SQLException sqlExcept)
{
Statement stmt = (Statement) conn.createStatement();
stmt.executeUpdate(createString);
sqlExcept.printStackTrace();
}
}
}
From my point of view it is better to proceed in another way(use control structure instead of try-catch), so you can test before if the table exist in this way :
DatabaseMetaData md = conn.getMetaData();
ResultSet rs = md.getTables(null, null, "table_name", null);
if (!rs.next()) {
//Table not Exist, let's create it
}
//Insert data into the table ...
It is a bad practice using try-catch in a similar case, try catch construct should be used only to catch exceptional situation, not in place of a control structure ...
It's an extra query, but i allways use this solution:
Connection connection = DriverManager.getConnection(...) // create the connection
Statement statement = connection.createStatement(...)
And use this query, to make sure that the table exists. It can only fail, if someone deletes your table while your following java code runs...
statement.execute("CREATE TABLE IF NOT EXISTS yourtable(...Your schema...)");
After this point you can assume that the table exists, and work with it, without expecting any seroius issue
The major problem with your approach is that you are catching the generic SQLException, which may have occurred for a very wide variety of reasons, your assumed reason being only one of them. That is why it is much more appropriate to test explicitly for the condition of table non-existence before trying to create it.
Related
I am writing a set of Eclipse console-based word games and have integrated an embedded Derby DB driver for storing a users result history.
My question is regarding Derby table initialization.
The Derby Database connection itself has a condition checker:
"jdbc:derby:dbName;create=true" So if the DB exists, it connects, if not it creates.
I am stuck on how to do this with a TBL in the Database. Even with the help from this similar question: how to create table if it doesn't exist using Derby Db
I've included my code below. My code throws a sql exception at the query for the Table 'RPS'. (My dbName is 'RPSdb' and TBL name is 'RPS'.)
This exception is caught by my catch block and passed to a static method in a different class ('DerbyHelper'). This static method is setup right now to always return true for the time being.
My question is how to I code my catch block and corresponding helper class so that I can implement the above mentioned TBL functionality?
Connection conn = null;
ArrayList<Statement> statements = new ArrayList<Statement>(); // list of Statements, PreparedStatements
Statement s;
ResultSet rs = null;
try {
conn = DriverManager.getConnection(protocol + dbName + ";create=true");
conn.setAutoCommit(false);
s = conn.createStatement();
statements.add(s);
rs = s.executeQuery("select * from RPS");
rs.next();
int cG = rs.getInt(1) + corGuess;
int iCG = rs.getInt(2) + inCorGuess;
s.executeUpdate("UPDATE RPS SET corGuesses = " + cG
+ ", inCorGuesses= " + iCG);
conn.commit();
}
catch( SQLException e ) {
if( DerbyHelper.tableAlreadyExists( e ) ) {
// what do I do here??
}
}
Interface java.sql.Connection has method getMetaData() which returns java.sql.DatabaseMetaData and that interface contains method getTables() which will tell you whether your database table exists, or not.
I have users table in MySQL and I created a stored procedure so that when get username and password from swing textfields passed them into stored procedure and learn if is there exist that user to login, but I can not get resultset actually in phpMyAdmin stored procedure work properly but in netbeans can not get resultset and runtime never stop in console , running always.
I do not think there is a problem in my code somewhere else because it is so simple code.
Here is my stored procedure in MySQL
SELECT * FROM `users` WHERE `users`.`E-Mail` = #p0 AND `users`.`Password` = #p1
it takes two parameter varchar and I tried before those as a text
Here is the specific part of my java code
public void loginPass(String email, String password){
try {
DriverManager.registerDriver((Driver) Class.forName("com.mysql.jdbc.Driver").newInstance());
Connection connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/askdocdb","root","");
CallableStatement mystatement = connection.prepareCall("{CALL sp_Login (?, ?)}");
mystatement.setString(1, email);
mystatement.setString(2, password);
// mystatement.setString("#p0", email);
// mystatement.setString("#p1", password);
boolean situation = mystatement.execute();
System.out.println(situation);
// resultset = mystatement.executeQuery();
resultset = mystatement.getResultSet();
String res = resultset.getString(2);
System.out.println(res);
// resultset = mystatement.executeQuery();
while(resultset.next()){
System.out.println("asdsad");
}
resultset.close();
} catch (Exception e) {
}
}
The reason of comment lines, I tried any possible combination of syntax
situation returns true
res does not return
and can not enter into while statement
Thank you for your support and comments already now.
It's difficult to say what exactly is wrong with your code as there are quite a few possible points for failure if you choose to use a stored procedure for this simple task (incorrect syntax in the procedure, problems with getting the return value over JDBC, etc). I would simply run the SQL query over JDBC for checking the credentials:
public void registerDriver() {
try {
DriverManager.registerDriver((Driver) Class.forName(
"com.mysql.jdbc.Driver").newInstance());
} catch (InstantiationException | IllegalAccessException
| ClassNotFoundException | SQLException e) {
throw new RuntimeException("Could not register MySQL driver!", e);
}
}
public boolean checkLogin(String email, String password) {
try (Connection connection = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/askdocdb", "root", "");
PreparedStatement ps = connection
.prepareStatement("SELECT 1 FROM users WHERE "
+ "E-Mail = ? AND Password = ?")) {
ps.setString(1, email);
ps.setString(2, password);
try (ResultSet rs = ps.executeQuery()) {
if (rs.next()) {
return true; // username and password match
} else {
return false; // no row returned, i.e. no match
}
}
} catch (SQLException e) {
throw new RuntimeException(
"Error while checking user credentials!", e);
}
}
What was changed:
JDBC driver registration has been extracted into a separate method (registerDriver()), which you only need to call once (e.g. after the program has started), not each time you check for credentials.
Resources such as Connection, PreparedStatement and ResultSet are now being closed properly (even if an exception is thrown) because they are declared through the try-with-resources statement.
The method now returns a boolean that corresponds to whether the credentials were valid or not, making it easier to use from calling code.
Exceptions that cannot be handled (e.g. SQLException) are rethrown as RuntimeExceptions (instead of just swallowing them in an empty catch block).
Basically, when an SQLException is thrown, either there is a programming error in the code (invalid query syntax) or something severely wrong with the database. In either case, the only option is usually to halt your program. You can declare throws SQLException in the method signature if you'd want to handle the situation in the calling method instead.
Finally, it needs to be mentioned that you should never store passwords in the database as plain text, to avoid anyone with read access to the db to login as an arbitrary user. Instead, you should store password hashes, or even better, salted hashes. More on this e.g. in Best way to store password in database.
I've been looking around and can't seem to find a solid answer to this. I was wondering if putting a string literal in executeQuery() is still prone to SQL injection.
So lets say I have this code:
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/","root","password");
Statement stmt = conn.createStatement();
ResultSet res = stmt.executeQuery("SELECT * from users where uid = "+uid);
Is this prone to a SQL injection?
Another question is, is just making the method that uses this code only throw an SQLException, and then trying and catching in main acceptable?
For example:
public void execMethod(String uid) throws SQLException {
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/","root","password");
Statement stmt = conn.createStatement();
ResultSet res = stmt.executeQuery("SELECT * from users where uid = "+uid);
// execute some other code
res.close();
}
public static void main(String[] args) {
try {
execMethod("123");
execMethod("456");
} catch(Exception ex) {
ex.printStackTrace();
}
}
Is this the standard or correct way of using SQL exceptions? I've never really worked with SQL and especially not Java and SQL. The tutorials I've read seem to only lay it out one way, so I'm pretty unsure of myself.
Is this prone to a SQL injection?"
Yes, you have no control over what uid might actually contain.
See Using Prepared Statements for more details
Another question is, is just making the method that uses this code only throw an SQLException, and then trying and catching in main acceptable?"
Yes, but you should at least wrap the contends of execMethod in try-finally to ensure that you are closing the resources you open (or use a try-with-resources for Java 7)
public void execMethod(String uid) throws SQLException {
try (Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/", "root", "password")) {
try (PreparedStatement stmt = conn.prepareStatement("SELECT * from users where uid = ?")) {
stmt.setString(1, uid);
try (ResultSet res = stmt.executeQuery()) {
// Process ressult set
}
}
}
}
See The try-with-resources Statement for more details
But, I would only catch the SQLException for EACH call, not batch them together, as you won't know what failed and what succeeded
try {
execMethod("123");
try {
execMethod("456");
} catch (Exception ex) {
// Maybe undo 123
System.out.println("Failed 456");
ex.printStackTrace();
}
} catch (Exception ex) {
System.out.println("Failed 123");
ex.printStackTrace();
}
(assuming that 456 is dependent on the success of 123)
Short answer : yes.
You do not appear to be doing any kind of input validation so there isn't anything stopping uid from being something like "105 or 1=1"
You should probably use PreparedStatements tutorial here
PreparedStatement stmt = conn.prepareStatement("SELECT * from users where uid = ?")
stmt.setString(1, uid);
..same as before
Also you don't close the statement or the connection which should be done in a finally block incase an exception is thrown
Yes. If uid can be entered by a user (it's not a String literal). I suggest you use a PreparedStatement, and a try-with-resources like
final String sql = "SELECT * from users where uid = ?";
try (PreparedStatement ps = conn.prepareStatement(sql)) {
ps.setString(1, uid);
try (ResultSet res = ps.executeQuery()) {
while (res.next()) {
// ...
}
}
}
The PreparedStatement (with bind variable) has at least these advantages
It can use the Statement cache on the server
It is not prone to SQL Injection
public class StudentDataPersistence {
public void insertStudentInfo(Student student) {
String url = "jdbc:oracle:thin:#localhost:1521:XE";
String username = "system";
String password = "Data03#";
Connection connection = null;
//Statement statement = null;
try {
//Step 1 : Register JDBC driver
Class.forName("oracle.jdbc.driver.OracleDriver");
//Step 2 : Open a connection
System.out.println("Connecting to a selected database...");
connection = DriverManager.getConnection(url, username, password);
if (connection != null) {
System.out.println("Connected to oracle");
}
//Step 3 : Write code to map Java Object to the Student_Info table
System.out.println("Inserting records into the database");
statement = connection.createStatement();
String sql = "insert into Student_Info " +
"VALUES(student.getName(),student.getRoll_no(),student.getAddress(),student.getPhone_no())";
statement.executeUpdate(sql);
System.out.println("Inserted student information into the database");
} catch (SQLException se) {
//handle errors for JDBC
se.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
//Handle errors for Class.forName
} finally {
System.out.println("Inside the finally block");
//finally block used to close resources
try {
statement.close();
} catch (SQLException se) {
se.printStackTrace();
}
try {
connection.close();
} catch (SQLException se) {
se.printStackTrace();
}
}
System.out.println("!GoodBye");
}
public static void main(String[] args) {
Student student = new Student("Bavin", 1, "Umar Nagar", "89898989809");
StudentDataPersistence obj = new StudentDataPersistence();
obj.insertStudentInfo(student);
}
}
The error it shows it :
Connecting to a selected database...
Connected to oracle
Inserting records into the database
java.sql.SQLException: ORA-00904: "STUDENT"."GETPHONE_NO": invalid identifier
at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:189)
at oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:242)
at oracle.jdbc.ttc7.Oall7.receive(Oall7.java:554)
at oracle.jdbc.ttc7.TTC7Protocol.doOall7(TTC7Protocol.java:1478)
at oracle.jdbc.ttc7.TTC7Protocol.parseExecuteFetch(TTC7Protocol.java:888)
at oracle.jdbc.driver.OracleStatement.executeNonQuery(OracleStatement.java:2076)
at oracle.jdbc.driver.OracleStatement.doExecuteOther(OracleStatement.java:1986)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:2697)
at oracle.jdbc.driver.OracleStatement.executeUpdate(OracleStatement.java:1035)
at org.core.hibernate.reason.StudentDataPersistence.insertStudentInfo(StudentDataPersistence.java:52)
at org.core.hibernate.reason.StudentDataPersistence.main(StudentDataPersistence.java:80)
Inside the finally block
!GoodBye
All the answers (those of you who illustrate it with an oracle query) in reply were wrong.
Kindly do have a look at it before posting.
the correct one i got when i posted another thread regarding the same:
String query = "insert into Student_Info(name,roll_no,address,phone_no) VALUES('"+student.getName()+"',"+student.getRoll_no()+",'"+student.getAddress()+"','"+student.getPhone_no()+"')";
you have commented out your Statement object definition. So the statement object is unknown when you're using it.
uncomment this line:
//Statement statement;
And as earlier pointed out by #putaro, you need to quote certain parts of your SQL query.
String sql = "insert into Student_Info " +
"VALUES("+student.getName()+","+student.getRoll_no()+","+student.getAddress()+","+student.getPhone_no()+")";
This is to insert the actual object values into the query. Things within the quote would be inserted as it is.
Error ORA-00904 means Oracle does not know the identifier "STUDENT"."GETPHONE_NO" it looks like you are trying to insert some value to a column named "GetPhone_NO" to Table "Student" from your SQL. so you should check your SQL and table structure again
I see there are two problems in the code.
Currently your code is not using the student object while making the query. All student.getName() etc call taken as plain strings rather than method calls that returns the appropriate values.
Second it would be better to write the query in the following form. It will avoid silly errors because of the structure of the tables.
"INSERT INTO student_info(name,roll_no,address,phone) VALUES("+
student.getName()+"," +
student.getRoll_no()+","+student.getAddress()+","+student.getPhone_no()+")";
Even better is if you use prepared statement like
Try changing the query like
"INSERT INTO student_info(name,roll_no,address,phone) VALUES(?,?,?,?)"
and then set the parameter values.
I am trying to create a simple web app that saves user data from a form to a database and reads the content of the database back to browser upon request. Following are the functions I have written so far.
connectToDB() // connects to database
addEmployee() // adds employee to database
displayEmployee() // returns a resultSet
isExisted(int staffID) // checks if the staff already exists
Database connection function:
public void connectToDB(){
try{
// load Apache derby driver
Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
} catch(ClassNotFoundException e) {
System.err.println(e);
}
try{
connection = DriverManager.getConnection(DBNAME, USERNAME, PASSWORD);
} catch(SQLException e){
System.err.println(e);
}
} // end connectToDB
Display Employee function:
public ResultSet displayEmployee(){
connectToDB();
ResultSet result = null;
try{
Statement stmt = connection.createStatement();
String query = "SELECT * FROM APP.ADDRESSBOOK";
result = stmt.executeQuery(query);
} catch(SQLException e) {
System.err.println(e);
}
return result;
}
Check if employee exists:
public boolean isExisted(int StaffID){
connectToDB();
try{
Statement stmt = connection.createStatement();
String query = "SELECT StaffNum FROM APP.ADDRESSBOOK WHERE StaffNum = " + staff_number;
ResultSet result = stmt.executeQuery(query);
while(result.next()){
int temp = result.getInt(1);
if(temp == staff_number){return true;}
}
} catch(SQLException e) {
System.err.println(e);
}
return false;
}
As you can see, if you compare the displayEmployee() and isExisted(), I am repeating mysel. Both the function works but I am looking to refactor the code. In those function I havent closed the connection. If there were 20 functions in the web app that connects to the database my code would stink.
I am looking something like this:
* THIS CODE DOESNT WORK ******
private Statement queryDB(query){
connectToDB();
Statement stmt;
try{
stmt = connection.createStatement();
} catch(SQLException e) {
System.err.println(e);
}
return stmt;
// code for closing connection
}
public ResultSet DisplayEmployee(){
String query = "SELECT * FROM APP.ADDRESSBOOK";
Statement stmt = queryDB(query);
ResultSet result = stmt.executeQuery(query);
return result;
}
Thanks.
Using raw JDBC produces a lot of unsightly boilerplate code. One solution is to use Spring JDBC Template.
In addition you will get the sql exception hierarchy which will manage the underlying JDBC exceptions automatically as runtime exceptions.
For more see:
Introduction to Spring Framework JDBC
A couple of comments:
The catch statement of ClassNotFoundException should throw an exception and shouldn't continue further.
It is not a good idea to return resultsets from a method that obtained them upon statement execution, since it is the responsibility of that method to close it. Instead, you should either read out the results into objects or cache them into CachedRowSet if your downstream functions expect a resultset.
The connectToDB method should return a successful connection or throw exception.
You could write a method that takes in an SQL query and return the results as objects so that this method can be used for retrieving based on different criteria as long you are retrieving the objects of same type.
isExisted is using staff_number which I think you intend it to be staffID. If you found a row with this value, then there is no need to check if the result set contained the row with this value, right?
My two cents!