File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JDBC and the fly likes Strange SQL statements being inserted into database Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of JavaScript Promises Essentials this week in the JavaScript forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Strange SQL statements being inserted into database" Watch "Strange SQL statements being inserted into database" New topic
Author

Strange SQL statements being inserted into database

mithesh raj
Greenhorn

Joined: Nov 04, 2012
Posts: 10

I have a problem with my Java application. The application is based on users who have to enter their username (their email address) so as to fill in an input form. The functionality of the input form is that the user has to enter for book names in order of priority. In the application, suppose a user's email address is "david.ferno@gmail.com"....he will have to input only "david.ferno" in the JTextBox...and a SQL LIKE statement is used check the corresponding User ID from the "bookuser" table and store it into the "priority" table along with the book priority choices.

I have used PreparedStatement for the SQL retrieval from database but when values are being inserted to the , instead of saving User ID like "user88", it is saving the SQL statement itself inside the database. What mean to say, in the "priority" table, instead of saving user88 (as an example)....it is saving "SELECT User_ID FROM user WHERE email_address"

Here are my codes>>

Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1817
    
    7

If the idea is to make the SELECT query a subquery in the INSERT query, that's not going to work this way. What you'd need to do is create a PreparedStatement for the entire insert SQL String, which must include the select subquery, and instead of concatenating user input directly into that query String, use parameters like you do in the current select query String (the ? notation).


Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
chris webster
Bartender

Joined: Mar 01, 2009
Posts: 1843
    
  16

In your "sql" string, you are inserting the value of your original "SELECT" statement (squery) into the first column of the table called "priority". As Jelle says, you need to write your SQL properly - and test it in your database's SQL shell before you throw it into a Java program, so you can be sure your SQL works.


No more Blub for me, thank you, Vicar.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Strange SQL statements being inserted into database