0

I am trying to create a java application that insert data in a database. Application is fairly simple. It take 3 input from user and insert that input to database. Everything working but I get sql error executing insert statement. Here is code snippet.

sa.executeUpdate("INSERT INTO history (to, subject, body)"+"VALUES("+ DATA1 + "','" + DATA2 + "','" +DATA3+ "')'");

I am sure I am having problem with the Double Quotes and Single Quotes in statement.

Improve this question
1
  • Please describe "Not Working"? What is the error you see? Commented Sep 28, 2012 at 5:14

4 Answers 4

Reset to default
6

You should always use PreparedStatements for this kind of thing. It takes care of quoting for you and protects you from SQL injection attacks:

PreparedStatement statement = connection.prepareStatement("INSERT INTO history (to, subject, body) VALUES (?, ?, ?)");
statement.setString(1, DATA1);
statement.setString(2, DATA2);
statement.setString(3, DATA3);
statement.execute();

Not only that, but the database driver can compile and cache prepared statements, potentially making them much more efficient.

Note that the setString indices are 1-based, not zero-based.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
sa.executeUpdate("INSERT INTO history (to, subject, body)"+"VALUES("+ DATA1 + "','" + DATA2 + "','" +DATA3+ "')'");

This code will produce query like this:

INSERT INTO history (to, subject, body)VALUES(vinesh','raja','1111')'

You have to remove single quotes after the last ')' and add single quote after 'VALUES'.

Instead try this code:

sa.executeUpdate("INSERT INTO history (to, subject, body)"+"VALUES('"+ DATA1 + "','" + DATA2 + "','" +DATA3+ "')");
Improve this answer

1 Comment

Actually i did codeexecuteUpdate("INSERT INTO history "+"VALUES('"+ DATA1 + "','" + DATA2 + "','" +DATA3+ "')"); which worked !! Any wrong with my code?
0

As Vinesh Suggested the solution, I would simply like to tell, better you take one variable as 

String query="SQL QUERY";
then just do System.out.println(query);

then run the line,

PreparedStatement statement = connection.prepareStatement(query)

so that, you will correctly identify the final query formed.

Improve this answer

Comments

-1

1.Rather than using String Class use String Buffer or String Builder which is a mutable class. On the other hand, String Class is immutable. You can use String Buffer like

  1. String Buffer stbuffer = new String Buffer();

    stbuffer.append("insert into ");
stbuffer.append("<tablename> ");
stbuffer.append("<fields >");
stbuffer.append(" values");
stbuffer.append("(+");
stbuffer.append(String);
stbuffer.append(")");  ....etc

  2. You can get the final string representation using stbufffer.toString();

  3. You can insert this type of queries to exceute update() methods like ins.executeUpdate(stbuffer.toString);

  4. You can also use it like this for Insert statement and also for Prepared Statement

Improve this answer

1 Comment

Don't do this, use PreparedStatement

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.