stackoom
  简体   繁体   中英

java.sql.Statement.executeQuery(String sql) throws SQLException when DELETE sql query is used

 原文  2015-06-18 05:06:59       java/ sql/ database/ oracle/ eclipse-rcp

Question

I know that to execute sql DELETE statement, I need to use executeUpdate(). However my need is to support only SELECT statment, hence I am using executeQuery(String sql). My db is Oracle.

My problem is, I am using java.sql.Statement.executeQuery(String sql) in a desktop based application, a textbox in our app accepts any kind of query and while testing we found that executeQuery(sql) is actually executing a DELETE query, ie it is successfully deleting a record and then throwing error -SQLException.

  1. Shouldn't the api not allow DELETE query to be executed ?.
  2. What can be done to prevent DELETE query to be executed by Statement.executeQuery api ?

2 answers

solution1
 0  2015-06-18 05:18:08

You will need to explicitely manage not execute INSERT, UPDATE & DELETE queries through executeQuery() method. This is as per the JDBC specification so it will accept delete queries as well and will throw an exception. 

executeQuery() is used for SELECT sql operation
executeUpdate() is used for INSERT, UPDATE and DELETE sql operation.

your query is for DELETE operation thus please use stmt.executeUpdate();

As you mentioned the you are getting this from a textbox form user, You can add the validations on the query string itself before executing it.

Lets say you get the query in String, you can check if string starts with SELECT then only execute. 

if (StringUtils.startsWithIgnoreCaseAndWs(sql, "INSERT") 
                    || StringUtils.startsWithIgnoreCaseAndWs(sql, "UPDATE") 
                    || StringUtils.startsWithIgnoreCaseAndWs(sql, "DELETE") 
                    || StringUtils.startsWithIgnoreCaseAndWs(sql, "DROP") 
                    || StringUtils.startsWithIgnoreCaseAndWs(sql, "CREATE") 
                    || StringUtils.startsWithIgnoreCaseAndWs(sql, "ALTER")
                    || StringUtils.startsWithIgnoreCaseAndWs(sql, "TRUNCATE")) { 

                    // Return message Unable to execute any update or modification queries through executeQuery()
        } else {
        //Execute Query 
}

solution2
 0  2015-06-18 05:28:47

To prevent executeQuery to be used in DELETE execution, use return types in your code. ie if and DML is there, then the return type should always be int.-- 

int i=stmt.executeUpdate('');

if you use int i=stmt.executeQuery(''); -- it will gives you compile time error int i=stmt.executeQuery(''); -- it will gives you compile time error And prevents you from using executeQuery

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question MS Access delete query in Java throws a java.sql.SQLException Statement.executeQuery() throws java.sql.SQLSyntaxErrorException when executing SELECT command in MySQL Jave SQL executeQuery throws up error for valid sql statement java.sql.SQLException: Error preparing query: No tables used JdbcTemplate throws java.sql.SQLException: Statement.executeQuery() and SQL injection Statement.executeQuery taking same amount of time for every SQL query java.sql.SQLException: statement is not executing java.sql.SQLException: Can not issue data manipulation statements with executeQuery(). 23 SQL statement is not executed! java.sql.SQLException: General error
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM