I design a system and I want from the user firstly to choose from a combo box the name of the table he want to insert then he will enter the rest of the fields.. My question is that how can I let the user enter the name of the table using sql statement .. I write the following doesn't but it doesn't work ??
try {
Object service = Service_ComboBox.getSelectedItem();
String ref = "0";
String title = title_TextField1.getText();
Object riskRating = riskRating_ComboBox3.getSelectedItem();
Object rootCause = rootCause_ComboBox4.getSelectedItem();
Object impact = impact_ComboBox1.getSelectedItem();
Object likelihood = likelihood_ComboBox2.getSelectedItem();
String efforts = efforts_TextField7.getText();
String finding = finding_TextField9.getText();
String implication = implication_TextArea1.getText();
String recommendation = recommendation_TextArea2.getText();
Connection conn= DriverManager.getConnection ("jdbc:oracle:thin:#localhost:1521:XE","SYSTEM","*******");
String query = "insert into ? (Service,Ref,Title,Risk_Rating,Root_cause,Impact ,Likelihood,Efforts,Finding,Implication,Recommendation)values ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? , ?)";
PreparedStatement myStatment = conn.prepareStatement(query);
myStatment.clearParameters();
myStatment.setString(1, service.toString());
myStatment.setString(2, service.toString());
myStatment.setString(3, ref);
myStatment.setString(4, title);
myStatment.setString(5, riskRating.toString());
myStatment.setString(6, rootCause.toString());
myStatment.setString(7, impact.toString());
myStatment.setString(8, likelihood.toString());
myStatment.setString(9, efforts);
myStatment.setString(10, finding);
myStatment.setString(11, implication);
myStatment.setString(12, recommendation);
boolean myResult = myStatment.execute();
System.out.println("done");
} catch (SQLException ex) {
JOptionPane.showMessageDialog(this, "Information is missing or incorrect! Please Make sure to enter correct information");
Logger.getLogger(Insert_info.class.getName()).log(Level.SEVERE, null, ex);
return;
}
JOptionPane.showMessageDialog(this, "Your information was saved successfully!");
insert into ?
You cannot use a bind variable for schema object names. The reason being that when you prepare the statement, the database needs to know what tables are involved, and decide which indexes to use, so the query SQL needs to be known (only the data can change).
So if you want to do this, you have to use string interpolation to construct the query (only for the table name, continue to use bind variables for the data!).
String query = "insert into "+ tableName + ....
Make sure that you validate this tableName. In your case, it can probably be checked against a HashSet of valid table names. Do not let this become an SQL injection problem.
Use the folowing sintax:
String query = "insert into " &tablename "bla bla predicates"
To avoid the sql injection create roles in your databases and give access to the tables you want to be used by your visitors/users.
Or you can use a wildcard :
Create a Variable tbl_name
String query = "insert into "(select table_name from user_tables where table_name like '%tbl_name%')"<br/>
- next create a decision "IF" and throw the output of the wildcard in it.If it matches the tables you have then ok if not treat it with an error message.
Related
This is my PostgreSQL code:
CREATE TABLE "user" (
id serial UNIQUE,
username varchar,
password varchar,
email varchar,
);
I want to create Java method, which adds new user to my table user:
public static void addUser(Connection con) throws SQLException {
String sql = "INSERT INTO user VALUES (?, ?, ?)";
try(PreparedStatement ps = c.prepareStatement(sql)) {
ps.setString(1, "test");
ps.setString(2, "test");
ps.setString(3, "test#email.com");
ps.executeUpdate();
}
}
}
Because column id is serial, I don't create prepared statement for this column (even without java, I would make insert only with remaining values, since id would be generated automatically). Hovewer, when I run this code, I get the following error:
ERROR: column "id" is of type integer but expression is of type character varying
What am I doing wrong?
Always specify the target columns in an INSERT statement. And as user is a reserved keyword, you have to quote it (but it would be better if you found a different name)
String sql = "INSERT INTO \"user\" (username, password, email) VALUES (?, ?, ?)";
I have raw insert query like
insert into sample(id, name) values(1, 'text \\N\');
Getting SqlException while trying to insert via jdbc but the same insert query is working if I insert via mysql command prompt(console).
jdbc insert query is failing due to special characters("\N") in name field.
so how to overcome and insert the name with \N?
The cleanest approach is to not use a raw SQL query at all. If, as you've stated, you receive the name from some other process then it is presumably in a String variable (or property, or similar) so you can simply use a parameterized query to perform the insert:
// example data
int theId = 1;
String theName = "the name you received from somewhere else";
//
PreparedStatement ps = conn.prepareStatement("INSERT INTO sample (id, name) VALUES (?, ?)");
ps.setInt(1, theId);
ps.setString(2, theName);
ps.executeUpdate();
try {
currentCon = ConnectionManager.getConnection();
psParent=currentCon.prepareStatement("insert into accommodation (type,name,price,description,username)values(?,?,?,?,?)", PreparedStatement.RETURN_GENERATED_KEYS);
psParent.setString(1,type);
psParent.setString(2,name);
psParent.setFloat(3,price);
psParent.setString(4,username);
psParent.executeUpdate();
accid= 0;
rs = psParent.getGeneratedKeys();
if (rs.next())
accid = rs.getInt(1);
rs.close();
psParent.close();
psChild=currentCon.prepareStatement("insert into room (accid, bed)values(?,?)");
psChild.setInt(1,accid);
psParent.setString(2,bed);
psChild.executeUpdate(); }
after I run this, I got this error message : failed: An Exception has occurred! java.sql.SQLRecoverableException: internal error
Is there's something wrong with the code? Thank you for your help
Your usage of getGenereatedKeys() actually looks correct to me for Oracle, but the problem is actually with your first insert statement. You have placeholders (and column names) for 5 columns, but you only bind 4 values. Try something like this:
String sql = "insert into accommodation (type, name, price, description, username) ";
sql += "VALUES (?, ?, ?, ?, ?)";
String generatedColumns[] = { "ID" };
psParent = currentCon.prepareStatement(sql, generatedColumns);
psParent.setString(1, type);
psParent.setString(2, name);
psParent.setFloat(3, price);
psParent.setString(4, description); // I ADDED THIS LINE
psParent.setString(5, username);
psParent.executeUpdate();
I am assuming that you have a variable containing a description to be inserted. If not, then remove description and its placeholder from the prepared statement entirely, or just insert null.
Here is the code:
String sqlstatment = "INSERT INTO order (orderedBy, totalItems, totalPrice) "+
"VALUES (?, ?, ?);";
ResultSet keys = null;
try (
PreparedStatement stmt = conn.prepareStatement(sqlstatment, Statement.RETURN_GENERATED_KEYS);
){
stmt.setInt(1, 1);
stmt.setInt(2, 3);
stmt.setInt(3, 5);
int affected = stmt.executeUpdate();
if (affected == 1){
keys = stmt.getGeneratedKeys();
keys.next();
int newKey = keys.getInt(1);
orderBean.setOrderID(newKey);
}else{
System.out.println("An Error has ocurred while creating the Order.");
}
}catch (SQLException e){
System.err.println(e.getMessage());
}finally{
if (keys != null) keys.close();
}
And when I run the code I get this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order (orderedBy, totalItems, totalPrice) VALUES (1, 3, 5)' at line 1
I'm not entirely sure why I get the error so if you know that would be great.
order is a reserved word, try
String sqlstatment = "INSERT INTO \"order\" (orderedBy, totalItems, totalPrice) "+
"VALUES (?, ?, ?);";
Your query contains a RESERVED KEYWORD order as your table name. MySQL documentation clearly suggests that use of such keywords should always be avoided, if they need to be used then it has to be with the use of backticks as shown below '`'.
Certain objects within MySQL, including database, table, index, column, alias, view, stored procedure, partition, tablespace, and other object names are known as identifiers.
If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it.
Your query that gets assigned to a String in turn should be changed to the following to resolve this error!
"INSERT INTO \"order\" (orderedBy, totalItems, totalPrice) VALUES (?, ?, ?);"
The following is a documentation link to the reserved keywords for MySQL -> Documentation
Hope this helps!
private void sUpdateBtnActionPerformed(java.awt.event.ActionEvent evt) {
String query = "UPDATE Student SET lastname = ?, firstname = ?, course = ?, yearlvl = ?, username = ?, password = ?";
dbConn = DbConnection.dbConnect();
prepState = dbConn.prepareStatement(query);
prepState.setString(1, sLnTf.getText());
prepState.setString(2, sFnTf.getText());
prepState.setString(3, courseTf.getText());
prepState.setInt(4, Integer.parseInt(yearLvlTf.getText()));
prepState.setString(5, sUserTf.getText());
prepState.setString(6, sPassTf.getText());
prepState.executeUpdate();
}catch(Exception e){
appendEvent(sdf.format(new Date()) + " Error: " + e);
}
}
Method for connecting to the database:
import java.sql.*;
import javax.swing.*;
public class DbConnection {
Connection dbConn = null;
public static Connection dbConnect(){
try{
Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
Connection dbConn = DriverManager.getConnection("jdbc:odbc:Driver={Microsoft Access Driver (*.mdb, *.accdb)}; DBQ=H:/Integ Ongoing Project/_Midterm Project/Server/src/database/Database.accdb");
return dbConn;
}catch(Exception e){
System.out.println(e.getMessage());
return null;
}
}
}
Password is a reserved word. If you must keep that as your field name, enclose it in brackets in your query to reduce the likelihood of confusing the database engine.
UPDATE Student
SET
lastname = ?,
firstname = ?,
course = ?,
yearlvl = ?,
username = ?,
[password] = ?
WHERE student_id = ?
Note I included a WHERE clause, as Stephen suggested, because it seems unlikely you would want those same field values applied to every row in the Student table. I used student_id as a placeholder name for the table's primary key ... the field which uniquely identifies each row. My intention is that you revise the WHERE clause to reference the primary key for the student whose record you want to alter.
If you're actually trying to add a new record, instead of update an existing record (or records), use an INSERT statement.
INSERT INTO Student (
lastname,
firstname,
course,
yearlvl,
username,
[password]
)
VALUES (
?,
?,
?,
?,
?,
?
)
And if you have autonumber as the data type of your primary key, the db engine will manage it for you.
I think that the problem is that your SQL statement is missing a WHERE clause. (I know that WHERE is optional in some dialects of SQL ... but a missing WHERE makes no sense to me here.)
The reason I think this is wrong is that even if the SQL dialect allows this, it is not clear which row of the table you are "setting". Even if the SQL engine can figure it out, a WHERE clause makes it a lot clearer. (And the fact that it "works" in the other case, doesn't mean that it is necessarily correct.)
Another thing that is potentially the cause of the problem is that "password" is a reserved word in some SQL dialects. Change the column name, or escape it.
Finally, the actual SQL error message should be in the exception stacktrace, or failing that in the log files. Those should be the first places to look if you are trying to find a problem in your database code. Look for the evidence ... rather than hoping someone else guess the right answer for you.