• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

query writing problem

 
mohammad shadab
Ranch Hand
Posts: 44
Eclipse IDE Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i am writing an insert query for posgressql but it is not accepting that...it will be very helpfull for me if you suggest the right way........





where stmt is an object of Statement.and my table named(mytable) has the following fields
patient_id integer
patient_name character
patient_type character
when i m running this code there is an exception that""" patient_id does not exist""""
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34073
335
Eclipse IDE Java VI Editor
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

This code doesn't pass Java variables to your code. You have two choices:

Option 1 - build the query inserting the variables directly
String qry="insert into mytable(patient_id,patient_name,patient_type)"+"values("+patient_id+",'"+patient_name +"','" +patient_type + "');";

Option 2 - use a PreparedStatement instead of a Statement:
String qry="insert into mytable(patient_id,patient_name,patient_type)"+"values(?,?,?);";

In real application code, you'll want to use option 2 so you don't have to worry about SQL injection where people can mess up your database or hack your application.
 
mohammad shadab
Ranch Hand
Posts: 44
Eclipse IDE Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jeanne Boyarsky wrote:
This code doesn't pass Java variables to your code. You have two choices:

Option 1 - build the query inserting the variables directly
String qry="insert into mytable(patient_id,patient_name,patient_type)"+"values("+patient_id+",'"+patient_name +"','" +patient_type + "');";

Option 2 - use a PreparedStatement instead of a Statement:
String qry="insert into mytable(patient_id,patient_name,patient_type)"+"values(?,?,?);";

In real application code, you'll want to use option 2 so you don't have to worry about SQL injection where people can mess up your database or hack your application.




thank you jeanne for nice suggestion ...actualy i want to do this without using place holders(prepared statement) approach...i was confuse in appending the variables..thank you again for nice explaination
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic