我的JDBC查询引起了我的JDBC错误吗？

Question

Currently i'm writing a JDBC application to manage a MySQL database. I have the delete, insert and select methods functioning with the correct queries. I'm having trouble with the Update method. When using using the following code I receive a MySQL error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near "",Street",Town",City",PostCode",Age",email",RunningFee'false'Where PID=" at line 1...

private void updateData()
{
    Connection con;
    try
    {
        Class.forName("com.mysql.jdbc.Driver");
        con = DriverManager.getConnection(
                "jdbc:mysql://localhost/snr","root","");

        String sql = "Update participant Set password='"+txtpassword.getText()+"'," +
                "lastName='"+txtlastName.getText()+"',firstName='"+
                txtfirstName.getText()+"',HouseNumber'"+txtHouseNumber.getText()+"',Street'"+txtStreet.getText()+"',Town'"+txtTown.getText()+"',City'"+txtCity.getText()+"',PostCode'"+txtPostCode.getText()+"',Age'"+txtAge.getText()+"',email'"+txtemail.getText()+"',RunningFee'"+cbRunningFee.isSelected()+"' Where PID='"+txtPID.getText()+"'";

        Statement statement = con.createStatement();

        statement.execute(sql);

        createMessageBox("Updated Successfully");

        clearControls();
    }
    catch(Exception e)
    {
        createMessageBox(e.getMessage());
    }
}

Is there something wrong with my SQL query?

Answer 1

Yes, your query is wrong. You're missing = on a great big bunch of set column/value pairs.

(And please consider using prepared statements and bind variables, SQL injection is just not something you want to be open to.)

Answer 2

Not only is your query incorrect, but it may also open you to SQL Interjection Attacks .

You need to parameterize your query by replacing the pasted-in values with question marks, preparing the statement, and executing it. See the tutorial that I linked.

Finally, storing a password as plain text is a very, very bad idea.

String sql = "UPDATE participant SET "+
    "password=?, lastName=?, firstName=?, HouseNumber=?, Street=?, Town=?, "+
    "City=?,PostCode?,Age=?,email=?,RunningFee=? "+
    "WHERE PID=?";
PreparedStatement upd = con.prepareStatement(sql);
upd.setString(1, txtpassword.getText());
upd.setString(2, txtlastName.getText());
// ... and so on
upd.executeUpdate();
con.commit();

Answer 3

Yes there is something wrong with the query. Your way of building query is vulnerable to SQL Injection. Use Parameterized Queries instead of concatenating text like that.

Read this article: Preventing SQL Injection in Java

Answer 4

You are forgetting some = in your query.

Try

String sql = "Update participant Set password='"+txtpassword.getText()+"'," +
            "lastName='"+txtlastName.getText()+"',firstName='"+ 
txtfirstName.getText()+"',HouseNumber='"+txtHouseNumber.getText()+"',Street='"+
txtStreet.getText()+"',Town='"+txtTown.getText()+"',City='"+txtCity.getText()+
"',PostCode='"+txtPostCode.getText()+"',Age='"+txtAge.getText()+"',email='"+
txtemail.getText()+"',RunningFee='"+cbRunningFee.isSelected()+
"' Where PID='"+txtPID.getText()+"'";

Answer 5

The error 'you have an error in your SQL syntax' is from the sql server and indicates that yes, you do have an error in your query. In these cases I often find it useful to print the constructed query itself, just to check that it is being constructed correctly.

In your case I believe the problem is that you are missing a bunch of "="s, you also probably need to escape your single quotes in the java so they are passed through correctly (replace ' with \\').