Strange SQL statements being inserted into database
Joined: Nov 04, 2012
I have a problem with my Java application. The application is based on users who have to enter their username (their email address) so as to fill in an input form. The functionality of the input form is that the user has to enter for book names in order of priority. In the application, suppose a user's email address is "firstname.lastname@example.org"....he will have to input only "david.ferno" in the JTextBox...and a SQL LIKE statement is used check the corresponding User ID from the "bookuser" table and store it into the "priority" table along with the book priority choices.
I have used PreparedStatement for the SQL retrieval from database but when values are being inserted to the , instead of saving User ID like "user88", it is saving the SQL statement itself inside the database. What mean to say, in the "priority" table, instead of saving user88 (as an example)....it is saving "SELECT User_ID FROM user WHERE email_address"
If the idea is to make the SELECT query a subquery in the INSERT query, that's not going to work this way. What you'd need to do is create a PreparedStatement for the entire insert SQL String, which must include the select subquery, and instead of concatenating user input directly into that query String, use parameters like you do in the current select query String (the ? notation).
Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
In your "sql" string, you are inserting the value of your original "SELECT" statement (squery) into the first column of the table called "priority". As Jelle says, you need to write your SQL properly - and test it in your database's SQL shell before you throw it into a Java program, so you can be sure your SQL works.