SQL query with String data

Question

SQL query with String data

Navigation

#1 by (1 votes)
#2 by (1 votes)
#3 by (0 votes)

0

Hello, I have a query SQL implemented in JAVA in which I need to insert the values MTILM, MVisual, MVerba, MAR, MTeorico whose data is of type String, here I leave an example

connectionDB.executeInsertUpdate("INSERT INTO 'data_processed'('id', 'ti_log_mat', 'ea_visual', 'ea_verbal', 'ea_act_ref', 'ea_teorico', 'class') VALUES(" + cond1.getInt(1) + ",'" + MTILM + "','" + MVisual + "','" + MVerbal + "','" + MAR + "','" + MTeorico + "',0);");

But it throws me the following Error:

at com.mysql.jdbc.StatementImpl.executeBatch (StatementImpl.java:1198) at phase1_classification.ConnectionDB.executeInsertUpdate (ConnectionDB.java:65) at phase1_classification.DataProcessed.QuizPrePro (DataProcessed.java:270) at fase1_clasificacion.DataProcessed.main (DataProcessed.java:46) at phase1_classification.Face1_Classification.main (Face1_Classification.java30)

Because something is wrong I suppose that in the concatenation of the data, could someone tell me what I have poorly implemented?

mysql sql java jdbc

asked by Liomar 01.06.2017 в 21:37

source

3 answers

Javascript works for a piano Run WordPress Hook from Javascript

score 1 · Answer 1

It is recommended to use prepared queries to do CRUD operations in the Database. See in that sense the Java documentation .

In prepared queries, the SQL string and the data are passed separately, represented in the string by the sign of ? . In that way, the first degree SQL injection is avoided.

On each of the preparedStatement... lines, for example:

preparedStatement.setInt(1,cond1.getInt(1));

the data that you want to insert is passed, indicating the type ( setInt, setString ), the position ( 1, 2... ) taking into account that each data must correspond with what you indicate above in the INSERT INTO ... and finally the value you want to insert ( cond1.getInt(1), MTILM ... ).

There should be as many ? signs as there are columns on the left side of the INSERT INTO ... and the same number of calls to the method preparedStatement.set ...

Example:

String sSQL=
            "INSERT INTO 'data_processed'"
            + " ('id', 'ti_log_mat', 'ea_visual', 'ea_verbal', 'ea_act_ref', 'ea_teorico', 'class')" 
            + " VALUES (?,?,?,?,?,?,?);");

PreparedStatement preparedStatement = connectionDB.prepareStatement(sSQL);
preparedStatement.setInt(1,cond1.getInt(1));
preparedStatement.setString(2, MTILM);
preparedStatement.setString(3, MVisual);
preparedStatement.setString(4, MVerbal);
preparedStatement.setString(5, MAR);
preparedStatement.setString(6, MTeorico);
preparedStatement.setInt(7, 0); 

// ejecutar
preparedStatement.executeUpdate();

Note: Some import is needed. Here you can see a complete example.

score 1 · Answer 2

Always use a PreparedStatement to build queries, since it is responsible for automating escape.

    StringBuilder sb = new StringBuilder();

    sb.append("INSERT INTO 'data_processed'");
    sb.append("('id', 'ti_log_mat', 'ea_visual', 'ea_verbal', 'ea_act_ref', 'ea_teorico', 'class')"); 
    sb.append(" VALUES (?,?,?,?,?,?,?)");

    PreparedStatement preparedStatement = conexionBD.prepareStatement(sb.toString);
    preparedStatement.setInt(1,cond1.getInt(1));
    preparedStatement.setString(2, MTILM);
    preparedStatement.setString(3, MVisual);
    preparedStatement.setString(4, MVerbal);
    preparedStatement.setString(5, MAR);
    preparedStatement.setString(6, MTeorico);
    preparedStatement.setInt(7, 0); 

    preparedStatement.executeUpdate();

Also to concatenate in java it is better to do it with stringbuilder .

score 0 · Answer 3

The query that you sample is well formulated, but my recommendation is that you use the PreparedStatement, it will give more security to your query and debugging you will see exactly the error, the security I say it because it avoids sql injections, among other things . I hope it helps you. link

By the way, you should copy the function as it is because as it is structured it seems that you wrote it again and maybe we do not see the error because of it.