JDBC更新查询错误

Question

I can't execute the update query on JDBC with where clause. I want to execute the query by concatenating some variables.

protected void updateEmail(String Email, String Username) {
    try {

        conn = DriverManager.getConnection("jdbc:mysql://localhost/project", "root", "");

        String query = "update access set email=" + Email + " where username=" + Username;

        Statement st = conn.createStatement();
        st.executeUpdate(query);

    } catch (SQLException ex) {
        System.out.println(ex);
    } finally {
        try {
            conn.close();
        } catch (SQLException ex) {

        }
    }
}

It says:

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 'bhusal1' in 'where clause'

Answer 1

String should be between two quotes 'name' instead of your way you have to use PreparedStatement instead to avoid syntax error or SQL Injection :

String query = "update access set email=? where username=?";
PreparedStatement ps = con.prepareStatement(query);

ps.setString(1, email);
ps.setString(2, name);
ps.executeUpdate();

Answer 2

This is most likely a problem with concatenation of the request. The approach you use is extremely bad and can cause any problems (including security).

To avoid problems, use PrepareStatement when you need to submit sql query parameters. Here's an example that should solve your problem:

void updateEmail(String email,String username) {
    try (Connection connection = DriverManager.getConnection("jdbc:mysql://localhost/project", "root", "")) {
        String query = "update access set email = ? where username = ?";
        try (PreparedStatement statement = connection.prepareStatement(query)) {
            statement.setString(1, email);
            statement.setString(2, username);

            statement.executeUpdate();
        }

    }
    catch (SQLException e) {
        System.out.println(e);
    }
}

Answer 3

您应该将变量电子邮件和用户名放在where子句中的引号之间，以便进行更新查询