JDBC MySQL query error?

Question

I'm trying to insert some data into mysql database, but I get an error and I can't find the error with the code. I am not good at mysql.

String insertQuery = "insert into books(title, author, description, prize)values("
            + title
            + ","
            + author
            + ","
            + desc
            + ", "
            + prize
            +  ");";

mysql> describe books;
+-------------+--------------+------+-----+---------+-------+
| Field       | Type         | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------+-------+
| book_id     | int(11)      | NO   | PRI | NULL    |       |
| title       | varchar(64)  | YES  |     | NULL    |       |
| author      | varchar(64)  | YES  |     | NULL    |       |
| description | varchar(500) | YES  |     | NULL    |       |
| prize       | float        | YES  |     | NULL    |       |
| added       | datetime     | YES  |     | NULL    |       |
+-------------+--------------+------+-----+---------+-------+
6 rows in set (0.01 sec)

The error I get is,

Query: insert into books(title, author, description, prize)values(sfdfdf,fdfdf,Please    limiasasaat your response to 500 characters., 78.9);
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limiasasaat your response to 500 characters., 78.9)' at line 1

Answer 1

You string values are not enclosed with single quotes. Try this:

String insertQuery = "insert into books(title, author, description, prize)values('"
            + title
            + "','"
            + author
            + "','"
            + desc
            + "', "
            + prize
            +  ");";

Example of Prepared Statement at RoseIndia

UPDATE 1

sample of PreparedStatement:

//other codes here
String iSQL = "Insert into books(title, author, description, prize) values (?,?,?,?)";
// con is your active connection object
PreparedStatement pstmt = con.prepareStatement(iSQL);
pstmt.setString(1, title);
pstmt.setString(2, author);
pstmt.setString(3, desc);
pstmt.setFloat(4, prize);
pstmt.executeUpdate();
//other codes here

but don't forget to this statement at the top of your class: import java.sql.*;

Answer 2

your problem is that you don't have quotes around your varchar parameters I think.

you could fix this by simply including quotes around those paramaters that need them:

String insertQuery = "insert into books(title, author, description, prize)values('"
            + title
            + "','"
            + author
            + "','"
            + desc
            + "', "
            + prize
            +  ");";

however this is still not a good solution as you still won't be able to handle any input which contains a single quote (if the desc parameter contained the string Don't try this the query would then fail, as the ' in the don't would terminate the desc parameter and the parser would then expect a , but would encounter t try this ) and are open to an SQL injection attack .

What you should be doing is using prepared statements. This makes it safe and you don't need to then worry about escaping issue as this is all handled for you. You can hack it to work as indicated above. But for your own sanity, and for everyone that has to deal with your code after you, please spend a little time to learn prepared statements and use them. Future you will thank current you.

There is a prepared statement tutorial on the oracle java website .

Using index based prepared statements always seems a little fragile to me. There is an example of how you can bind parameters by name which can make your PreparedStatements a little easier to read, so they might end up like this:

String iSQL = "Insert into books(title, author, description, prize) values (:title,:author,:description,:prize)";

NamedParameterStatement pstmt =new NamedParameterStatement(connection,iSQL);
pstmt.setString("title", title);
pstmt.setString("author", author);
pstmt.setString("description", desc);
pstmt.setFloat("prize", prize);
pstmt.executeUpdate();

Answer 3

I'd suggest use Prepared Statement but if you still want to go with the way you have then you will have to somehow tell MYSQL that this is a character(s) entry and this is a integer entry.

To define the difference between character entries and integer entries you will have to add single quote around the Character entries.

Answer 4

Use preparedStatement. Using statement in places where values will change will definitely lead you to such conclusions. A very good example is given by johntotetwoo. Have a look at it.