Oracle query inside java

Question

String sql = "INSERT INTO Student_Info(name,roll_no,address,phone_no) VALUES('101', 1, 'Fatma', '25')";

String sql = "insert into Student_Info(name,roll_no,address,phone_no) VALUES("+student.getName()+","+student.getRoll_no()+","+student.getAddress()+","+student.getPhone_no()+")";

the last query shows an error:

java.sql.SQLException: ORA-00917: missing comma

at

statement.executeUpdate(sql);

Can anyone rule out where am I missing the comma?

You're not missing a comma. You forgot to quote your variables (student.getName() etc.) — paulsm4
– paulsm4, Commented Apr 20, 2014 at 7:33
You should use a PreparedStatement instead of concatenating strings; see docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html — Ken Keenan
– Ken Keenan, Commented Apr 20, 2014 at 7:34

rene · Accepted Answer · 2014-04-20 07:44:10Z

1

You miss the single quotes around student.name, student.address and student.phone_no

String sql = "insert into Student_Info(name,roll_no,address,phone_no) VALUES('"+
              student.getName()+"',"+
              student.getRoll_no()+",'"+
              student.getAddress()+"','"+
              student.getPhone_no()+"')";

Do notice that this sql statement is vulnerable for sql injection attacks. Use a PreparedStatement.

  String sql = "insert into Student_Info(name,roll_no,address,phone_no) " +
               "VALUES(?,?,?,?)"; 

  addStudent = con.prepareStatement(sql);
  addStudent.setString(1, student.getName());
  addStudent.setInt(2, student.getRoll_no());
  addStudent.setString(3, student.getAddress());
  addStudent.setString(4, student.getPhone_no());
  addStudent.executeUpdate();
  con.commit();

edited Apr 20, 2014 at 7:44

answered Apr 20, 2014 at 7:32

rene

42.6k78 gold badges122 silver badges166 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Simon Dorociak · Accepted Answer · 2014-04-20 07:48:50Z

1

Do it in this way:

String sql = "insert into Student_Info(name, roll_no, address, phone_no) 
              VALUES(?, ?, ?, ?)";
PreparedStatement ps = con.prepareStatement(sql);
ps.setString(1, value); // indexing starts from 1 (not from zero)
...
ps.executeUpdate();
// commit if you have set auto-commit to false

Never use raw statements but PreparedStatements¹. Raw statements have lower performance, are more vulnerable (SQL Injection attacks) and what is most important is readability of code that is on very low level (especially in case if you have more columns).

¹PreparedStatements are much more safer, pre-compiled, have better performance and are user-friedly readable and more...

edited Apr 20, 2014 at 7:48

answered Apr 20, 2014 at 7:40

Simon Dorociak

33.5k10 gold badges70 silver badges107 bronze badges

Comments

fr1tz · Accepted Answer · 2014-04-20 07:35:54Z

0

rene's answer is correct. I would like to add, however:

It is much better practice to use Prepared Statements

Your code would look something like:

String sql = "INSERT INTO Student_Info(?,?,?,?) VALUES(?,?,?,?)"

PreparedStatement sql_prepared = connection_object.prepareStatement(sql)

answered Apr 20, 2014 at 7:35

fr1tz

8,4641 gold badge14 silver badges8 bronze badges

Collectives™ on Stack Overflow

Oracle query inside java

3 Answers 3

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related