1

I'm working on a simple application that pulls data from a local database. The below code works fine when I use a string for the SQL query, but I can not get it to work with PreparedStatement. I have reviewed similar problems posted here but most of those were caused by doing this, preparedStmt.executeQuery(query); instead of this preparedStmt.executeQuery(); Here is the code,

    private final String POSTTITLE=     "posttitle"; // DB Column name
    private final String POSTCONTENT=   "content"; // DB Column name

   public String getDbContent(){
        try{
            String query ="select values(?, ?) from blog";
            PreparedStatement preparedStmt = this.connect.prepareStatement(query);
            preparedStmt.setString (1,POSTTITLE);
            preparedStmt.setString (2,POSTCONTENT);
            ResultSet rs = preparedStmt.executeQuery();
            rs.next();
            return(rs.getString(this.POSTCONTENT)); //Will replace with loop to get all content
        } catch(Exception e) {
           System.err.println("Error Reading database!");
           System.err.println(e);
           return("Error: "+e);
        }
    }

This is the error I get: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''posttitle', 'content') from blog' at line 1

Improve this question
2
  • Are you sure you wanted to have the column names separated from the query? The syntax for SELECT is never SELECT VALUES() FROM ... but rather SELECT expression1, expression2, ... FROM ... with the expressions involving column names. In most cases, you know the columns you want to get in advance. It's not clear what you are trying to achieve with this query. Commented Apr 4, 2017 at 15:16
  • Yes I think you're right, there is no real reason to programmatically input the columns. Thank you. Commented Apr 5, 2017 at 17:03

3 Answers 3

Reset to default
2

Parameters in prepared statements are for values - you're trying to use them to select fields. They just don't work that way.

In this very specific instance, you'll need to make the SQL dynamic. However, you'll want to make sure that whatever code you have to allow your columns to be specified is tightly constrained to avoid SQL injection attacks. (For example, you could have an enum with the columns in, or a whitelist of allowed values.)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try concatenating select query:

String query ="select "+POSTTITLE+","+POSTCONTENT+" from blog";

Remember that prepared statements are for values, not query parameters, for them we use simply concatenations.

Improve this answer

Comments

0

Try this:

String query ="select POSTTITLE, POSTCONTENT from blog";
PreparedStatement preparedStmt = this.connect.prepareStatement(query);
ResultSet rs = preparedStmt.executeQuery();
rs.next();

There is no need to use field names as parameter.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.