wood burning stoves 2.0*
The moose likes JDBC and the fly likes Using strings within strings to read vars? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Using strings within strings to read vars?" Watch "Using strings within strings to read vars?" New topic
Author

Using strings within strings to read vars?

Daniel Stege Lindsjo
Greenhorn

Joined: Jun 28, 2010
Posts: 13
Hi all
I keep getting the same error due to improper parsing of: String sqlStatement = "INSERT INTO user (firstName,userName,password,email,userRole) VALUES ("+fName,uName,pw,em,userRole+");";

Resin keeps saying:
500 Servlet Exception

/Users/username/Downloads/resin-3.1.9/webapps/ROOT/WEB-INF/classes/com/verify/web/VerifyUser.java:76:
';' expected
String sqlStatement = "INSERT INTO user (firstName,userName,password,email,userRole) VALUES ("+fName,uName,pw,em,userRole+");";
^
1 error


Everything else in the class works.



Amol Nayak
Ranch Hand

Joined: Oct 26, 2006
Posts: 218

I keep getting the same error due to improper parsing of: String sqlStatement = "INSERT INTO user (firstName,userName,password,email,userRole) VALUES ("+fName,uName,pw,em,userRole+");";


Is this a valid java statement?

Hint: look at the string marked in bold.
Daniel Stege Lindsjo
Greenhorn

Joined: Jun 28, 2010
Posts: 13
The String sqlStatement is supposed to contain the SQL statement for the mysql database.
The problem is that the parser can't seem to see the content of the local string vars:




If I put the ' ' around fName and the others it reads them as stings and not vars and I end up with firstName = "fName" instead of firstName = fName; as it should.


D
Nilesh Miskin
Ranch Hand

Joined: Jun 17, 2010
Posts: 44
Try this:



Here I assume that the fields firstName,userName,password,email,userRole all are of type VARCHAR.
Hence I have enclosed these in single quotes.


Nilesh Miskin
Daniel Stege Lindsjo
Greenhorn

Joined: Jun 28, 2010
Posts: 13
You my friend are not a green
horn but a Nerd god.



Works perfectly!! Yahoooooooooooo!


D
Tom Reilly
Rancher

Joined: Jun 01, 2010
Posts: 618
You need to separate your variables from the SQL syntax. Try the following and then print ths sqlStatement after it to see that it is correct. For efficiency you could try using StringBuilder or String.format() but get the below statement to work first.

David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

SQL injection.
Daniel Stege Lindsjo
Greenhorn

Joined: Jun 28, 2010
Posts: 13
SQL injection. *yikes*
How do I prevent this? :O


D
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Don't build SQL with unsafe-strings, or use prepared statements.
Daniel Stege Lindsjo
Greenhorn

Joined: Jun 28, 2010
Posts: 13
When I try to use pre-compared statements it fails bigtime:



Is the anyway for me to inspect the pstmt objects contends to be sure it's looks the way it should? :P


D
David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Please see ItDoesntWorkIsUseless -- without knowing how it fails, it's a lot more difficult to fix.
Daniel Stege Lindsjo
Greenhorn

Joined: Jun 28, 2010
Posts: 13
The browser indicates the following:

Passwords match.
Welcome Laila.
You may register with this nickname.
You may register with this email.
Preparing statement...


And then it stops.
NB: The DB table has 6 fields beginning with an id AUTO INCREMENT NOT NULL, set by the DB.



Hopes this is enough info.


D


David Newton
Author
Rancher

Joined: Sep 29, 2008
Posts: 12617

Nope, it's not. Check your log.
 
Don't get me started about those stupid light bulbs.
 
subject: Using strings within strings to read vars?