how to solve SQL syntax error?

Question

try {
    String req = "INSERT INTO nouvelle_installation" +
      "values('" + ref + "','" + today + "','" + check + "','" + nbligne +
      "','" + tligne + "','" + categorie + "','" + instal + "','" + cin +
      "','" + user + "','" + prenom+"','" + numC + "','" + num + "','" + voie +
      "','" + tvoie + "','" + imm + "','" + app + "','" + etage +
      "','" + codep + "')"; 

    Statement m = s.getCon().createStatement();  
    m.executeUpdate(req);
} catch (SQLException e1) {
    e1.printStackTrace();
}

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Erreur de syntaxe près de ''aaa','2012-04-10',' ','------','---------------','-------', 'Nouvelle Installati' à la ligne 1

Answer 1

As others said, use prepared statements instead of concatenating your statement.

This would prevent SQL injection , and your current problem:

"INSERT INTO nouvelle_installation" + "values" ...

results in

"INSERT INTO nouvelle_installationvalues" ...

You are missing a space between your table-name and the keyword values .

Answer 2

You need to put a space between the "INSERT INTO nouvelle_installation" + "values(... or the string will appear to look like

"INSERT INTO nouvelle_installationvalues("...

So it should look like this

"INSERT INTO nouvelle_installation" + " values(...

Answer 3

As already someone as pointed out, this code is subject to Sql Injection Attacks.
However the first error visible in your query is the space missing before the values keyword

Answer 4

use prepared statements instead of concatenating your statement.

Also prepared statements is faster than Statement.

You are missing a space between your table-name and the keyword values .

Answer 5

You have a quote following num and one before voie with no comma between them. Is that what you wanted?

... + "','" + num  + "'"   +
      "'"   + voie + "','" + tvoie + ...

This effectively gives you ,'NUM''VOIE',' .

You also have no space before the values keyword.