Oracle update statement in java

Question

This is my code for the Oracle database to update a record I have done insert delete and search but fail to update. Kindly suggest to me what's wrong in the code or in the query.

Statement stmt;
try {
    stmt = DBPRoject.conn.createStatement();
    stmt.executeUpdate("update personinfo set cnic='"+CnicNo+"','name="+name+"','login="+login+"','password="+psd+"','zip="+Zip+"','persontypeid="+typeid+"' where cnic="+CnicNo);
    //stmt.executeQuery("update  personinfo set cnic=" + '"+CnicNo+"', '"+name+"', '"+login+"', '"+psd+"', '"+Zip+"',+typeid+);
    stmt.executeQuery("commit");
    stmt.executeQuery("update  personcont set cnic='"+CnicNo+", 'address="+HomeAdd+"', 'city="+City+"', 'statep="+State+"', 'mobno="+MobNo+"','email="+Email+"','nationality="+Nationality+"','persontypeid"+typeid+"','status"+Status+"' where cnic="+CnicNo);
    stmt.executeQuery("commit");
    JOptionPane.showMessageDialog(null, "Updated sucessfully"); 

}
catch(SQLIntegrityConstraintViolationException uni){
    JOptionPane.showMessageDialog(null, "Enter Uniqe CNIC");
    return;
}
catch (SQLException ex) {
    Logger.getLogger(Add_Customer.class.getName()).log(Level.SEVERE, null, ex);
}

I am stuck at this point need some help :) thanks in advance.

Answer 1

The first problem is you seem to be quoting the column name and value for some of your constraints...

 ...'name="+name+"','login="+login+"','password="+psd+"','zip="+Zip+"','persontypeid="+typeid+"' ...
    ^-------------^ ^---------------^ ^----------------^ ^-----------^ ^-----------------------^

The second issues is, you shoud be using PreparedStament to reduce the risk of SQL injection

For example...

try (PreparedStatement stmt = con.prepareStatement("update personinfo set cnic=?,name=?,login=?,password=?,zip=?,persontypeid=? where cnic=?")) {
    stmt.setString(1, CnicNo);
    stmt.setString(2, name);
    stmt.setString(3, login);
    stmt.setString(4, psd);
    stmt.setString(5, Zip);
    stmt.setString(6, typeid);
    stmt.setString(7, CnicNo);
    int rows = stmt.executeUpdate();
}

Also, assuming that autoCommit is set to false for the Connection , you should simply be able to use con.commit(); to commit the updates instead of executing another query, but this might be a particular requirement of the driver

Answer 2

Just guessing, as you have not provided error message and the content of your variables is not given but you are setting ' before the name of some attributes, eg 'name="+name+"' could result for example into 'name=John' , but the correct syntax is name='John' so just correct this on all of the places you do that. Then make sure that you are not quoting integer values.

Answer 3

You should print the final SQL statement in to log and check for error. Change 'name="+name+"' into name='"+name+"' for all other fields.