Win a copy of Learn Spring Security (video course) this week in the Spring forum!
    Bookmark Topic Watch Topic
  • New Topic

doubt regarding default values

 
rakhi sinha
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Report post to moderator
database.java



These fields are retrieved from servlet that is p1.java



when I click on submit button of p1.java database.java is called .Program is running well but there is only one problem...when all fields are filled in i1,i2,i3,c1,c2,c3,q1,q2and q3.program show no errors but when i filled only one field i1,c1 and q1 then it shows error how to remove this error(SQLException caught: ORA-00936: missing expression ).If i want to fill only one field.
 
Swastik Dey
Rancher
Posts: 1602
5
Android Java Java ME
  • Mark post as helpful
  • send pies
  • Report post to moderator
Rakhi,

Use PreparedStatement, it avoids SQL injection.
e.g.


http://docs.oracle.com/javase/1.4.2/docs/api/java/sql/PreparedStatement.html
 
rakhi sinha
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Report post to moderator
Swastik Dey wrote:Rakhi,

Use PreparedStatement, it avoids SQL injection.
e.g.


http://docs.oracle.com/javase/1.4.2/docs/api/java/sql/PreparedStatement.html


I am using prepared statement but it is not working
 
Swastik Dey
Rancher
Posts: 1602
5
Android Java Java ME
  • Mark post as helpful
  • send pies
  • Report post to moderator
What exactly do you mean by not working? Does it raise any exception? Look at the exception stack trace.
 
rakhi sinha
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Report post to moderator
rakhi sinha wrote:
Swastik Dey wrote:Rakhi,

Use PreparedStatement, it avoids SQL injection.
e.g.


http://docs.oracle.com/javase/1.4.2/docs/api/java/sql/PreparedStatement.html


I am using prepared statement but it is not working

sorry,I am using this



[Edited to shorten the lines in the CODE tag -- Martin Vajsar]
 
Swastik Dey
Rancher
Posts: 1602
5
Android Java Java ME
  • Mark post as helpful
  • send pies
  • Report post to moderator
Does the table has only 5 fields, and everywhere you are using pst1.setString. Are all the fields in the table are of character type?
 
Martin Vajsar
Sheriff
Pie
Posts: 3751
62
Chrome Netbeans IDE Oracle
  • Mark post as helpful
  • send pies
  • Report post to moderator
Rakhi, I've a few notes on this:

- Show us the exception and stack trace you're getting. Otherwise we'can only guess what's happening. See also the link ItDoesntWorkIsUseless.

- You're not using PreparedStatement and you'll be vulnerable to SQL injection attacks if you'll continue this way.

- Though the INSERT ALL command should work, I'd suggest to split it into three separate INSERT INTO statements. If you use update batching with prepared statements, it will be even more effective than the INSERT ALL statement you're using now.

- Your statement contains three column lists in the INTO P section. The firts two contain column QU, while the last has column QUA at this place. This seems to be a typo. However, since the column names are rather cryptic, I can't know for sure.
 
Swastik Dey
Rancher
Posts: 1602
5
Android Java Java ME
  • Mark post as helpful
  • send pies
  • Report post to moderator
As Martin says, I also feel that PreparedStatement with batch update should be a better solution.
 
Piyush Mangal
Ranch Hand
Posts: 196
  • Mark post as helpful
  • send pies
  • Report post to moderator
You need to use parameterized sql with PreparedStatement.


 
rakhi sinha
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Report post to moderator
Martin Vajsar wrote:Rakhi, I've a few notes on this:

- Show us the exception and stack trace you're getting. Otherwise we'can only guess what's happening. See also the link ItDoesntWorkIsUseless.

- You're not using PreparedStatement and you'll be vulnerable to SQL injection attacks if you'll continue this way.

- Though the INSERT ALL command should work, I'd suggest to split it into three separate INSERT INTO statements. If you use update batching with prepared statements, it will be even more effective than the INSERT ALL statement you're using now.

- Your statement contains three column lists in the INTO P section. The firts two contain column QU, while the last has column QUA at this place. This seems to be a typo. However, since the column names are rather cryptic, I can't know for sure.


QUA was written by mistake..it is QU ......
My problem is this....
if i want enter only one of these values q1,q2 and q3 then database shoe the exception SQLException caught: ORA-00936: missing expression in p1.java
 
Swastik Dey
Rancher
Posts: 1602
5
Android Java Java ME
  • Mark post as helpful
  • send pies
  • Report post to moderator
Are you still using statement or you have changed it to PreparedStatement? If changed show us that part of the code once again?
 
Martin Vajsar
Sheriff
Pie
Posts: 3751
62
Chrome Netbeans IDE Oracle
  • Mark post as helpful
  • send pies
  • Report post to moderator
To debug this issue: write the text of the query (variable query) into a log file. Try to run that text in SQL*plus or similar tool, and possibly post it here. Most probably some of the parameters you stuff into it causes syntax errors (and demonstrates you've serious SQL injection issues in your code).

To turn that into production-quality code: follow the advice I've already given here (execute a PreparedStatement using simple INSERT INTO ... VALUES three times in a row - or any other number of times you actually need).
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Report post to moderator
we need to see the sql where you are only trying to insert 1 value.
Are you using the same statement but only setting one of the variables?
 
rakhi sinha
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Report post to moderator
Piyush Mangal wrote:You need to use parameterized sql with PreparedStatement.





when i use prepared statement no value is inserted in the database
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Report post to moderator
rakhi sinha wrote:
Piyush Mangal wrote:You need to use parameterized sql with PreparedStatement.





when i use prepared statement no value is inserted in the database


2 points
1: are all the columns strings, even the quantity and price, as prepared statement has methods for each datatype.
2: It must be throwing an exception if it isn't inserting anything at all, can you post the stack trace.
 
rakhi sinha
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Report post to moderator
Wendy Gibbons wrote:
rakhi sinha wrote:
Piyush Mangal wrote:You need to use parameterized sql with PreparedStatement.





when i use prepared statement no value is inserted in the database


2 points
1: are all the columns strings, even the quantity and price, as prepared statement has methods for each datatype.
2: It must be throwing an exception if it isn't inserting anything at all, can you post the stack trace.


i have done some mistake but now it is inserting values into database but now there is another problem that i have mentioned in my prepared statement problem
http://www.coderanch.com/t/573865/JDBC/java/prepared-statement

Please help me out to solve this problem..thanks in advance
 
Wendy Gibbons
Bartender
Posts: 1110
Eclipse IDE Oracle VI Editor
  • Mark post as helpful
  • send pies
  • Report post to moderator
as you have started a new thread locking this one
 
    Bookmark Topic Watch Topic
  • New Topic