stackoom
  简体   繁体   中英

Using java variables as values in mysql insert statement

 原文  2014-01-02 23:45:50       java/ mysql/ sql

Question

I currently have two created methods, one named createDatabase which creates a mysql database, table and inserts values into that table. The second method collects data from the user and stores them in variables.

I'm struggling to know how it would be possible to pass the variables from the userInput method to the createDatabase method, And how to then use the variables as values for the insert statement.

Here is the createDatabase method 

  public void createDatabase(){
    String data = "jdbc:mysql://localhost:3306/?user=root&password=root";
    try {

         Class.forName("com.mysql.jdbc.Driver");


        Connection conn = DriverManager.getConnection(data);
        Statement st = conn.createStatement();
        System.out.println("Connection made");

        int result = st.executeUpdate("DROP DATABASE IF EXISTS TESTDATABASE");

        result = st.executeUpdate("CREATE DATABASE TESTDATABASE");

        result = st.executeUpdate("USE TESTDATABASE");

        result = st.executeUpdate(
                "CREATE TABLE testtable ("
                + "dex INT NOT NULL AUTO_INCREMENT PRIMARY KEY, "
                + "name VARCHAR(40), "
                + "address1 VARCHAR(40), "
                + "address2 VARCHAR(40), "
                + "phone VARCHAR(20), "
                + "email VARCHAR(40))");
        result = st.executeUpdate(
                "INSERT INTO testtable(name, address1, address2, "
                + "phone, email) VALUES("
                + "'+name+', "
                + "'+address1+', "
                + "'+address2+', "
                + "'+phone+', "
                + "'+email+')"); 

        st.close();
        System.out.println("Database Created");
    }   catch (Exception e) {
            System.out.println("Error -- " + e.toString());
    }

}

The userInput method 

public void userInput(){
    String name;
    String address1;
    String address2;
    String phone;
    String email;

    Scanner in = new Scanner(System.in); 

    System.out.println("Enter name");
    name = in.nextLine();
    System.out.println("Enter first line of address");
    address1 = in.nextLine();
    System.out.println("Enter second line of address");
    address2 = in.nextLine();
    System.out.println("Enter phone number");
    phone = in.nextLine();
    System.out.println("Enter email address");
    email = in.nextLine();
    System.out.println("Details collected");

}

And main 

public static void main(String[] arguments) {
    TestDatabase test = new TestDatabase();
    test.userInput();
    test.createDatabase();

}

Any help and suggestions thanks!

2 answers

solution1
 5  2014-01-02 23:51:48

To insert the record you should use a PreparedStatement to protect against SQL injection: 

    try{
        String sql = "INSERT INTO testtable(name, address1, address2,phone, email)VALUES(?,?,?,?,?)"
        PreparedStatement statement = conn.prepareStatement(sql);
        statement.setString(1,name);
        statement.setString(2,address1);
        statement.setString(3, address2);
        statement.setString(4, phone);
        statement.setString(5, email);
        statement.executeUpdate();
     }catch(SQLException e){

     }

Concatenating String s to form a SQL statement is never a good option, it creates a security vulnerability in your application and your boss will be jacked when its exploited.

solution2
 0  2014-01-03 00:05:21

If you do this in Java, I recommend following Object Oriented principles. Do not write Java code like is C. You can create a Person object that has the following fields: 

    private String name;
    private String address1;
    private String address2;
    private String phone;
    private String email;

constructor 

 Person(String name, String address1, String address2, String phone, String email) {
        this.name = name;
        this.address1 = address1;
        this.address2 = address2;
        this.phone = phone;
        this.email = email;
    }

and getters like 

public String getName() {
    return this.name;
}

for each attribute. After that in userInput write 

return new Person(name, address1, address2, phone, email);

As a consequence the userInput now return an instance of Person. Split the createDatabase method in 2 parts: First method should handle the database creation The second method should handle the insertion. Example 

public void insertInDatabase(Statement st, Person p) {
   // here you can use code that others have posted.
}

As a conclusion: Please learn Java guidelines and principles and after that try to build something with it, because if you learn it stupid, you will use it stupid. Sorry if any offense!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to insert values to mysql using java variables java mysql database insert using prepared statement Using mysql variables into a java JDBC prepared statement Java and MySQL insert statement how to insert BIT values in MySQL using Java? Insert values to mysql Java insert multiple values using prepared statement using loop java Insert user IP Address into MySql table using Prepared Statement in java Java - to - sql statement, variables in Insert into vs setString How do I insert Unique values in MySQL using using Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM