File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JDBC and Relational Databases and the fly likes Strange SQL statements being inserted into database Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "Strange SQL statements being inserted into database" Watch "Strange SQL statements being inserted into database" New topic

Strange SQL statements being inserted into database

mithesh raj

Joined: Nov 04, 2012
Posts: 10

I have a problem with my Java application. The application is based on users who have to enter their username (their email address) so as to fill in an input form. The functionality of the input form is that the user has to enter for book names in order of priority. In the application, suppose a user's email address is ""....he will have to input only "david.ferno" in the JTextBox...and a SQL LIKE statement is used check the corresponding User ID from the "bookuser" table and store it into the "priority" table along with the book priority choices.

I have used PreparedStatement for the SQL retrieval from database but when values are being inserted to the , instead of saving User ID like "user88", it is saving the SQL statement itself inside the database. What mean to say, in the "priority" table, instead of saving user88 (as an example) is saving "SELECT User_ID FROM user WHERE email_address"

Here are my codes>>

Jelle Klap

Joined: Mar 10, 2008
Posts: 1951

If the idea is to make the SELECT query a subquery in the INSERT query, that's not going to work this way. What you'd need to do is create a PreparedStatement for the entire insert SQL String, which must include the select subquery, and instead of concatenating user input directly into that query String, use parameters like you do in the current select query String (the ? notation).

Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
chris webster

Joined: Mar 01, 2009
Posts: 2295

In your "sql" string, you are inserting the value of your original "SELECT" statement (squery) into the first column of the table called "priority". As Jelle says, you need to write your SQL properly - and test it in your database's SQL shell before you throw it into a Java program, so you can be sure your SQL works.

No more Blub for me, thank you, Vicar.
I agree. Here's the link:
subject: Strange SQL statements being inserted into database
It's not a secret anymore!