I am using VB.net to access a MySQL database and insert data into this table.
I am getting this data from an opera database, the query I am using is:
Dim queryInsert As String = "INSERT INTO customer_company(customer_id, name, street, zip,
city,country,comments) values(" + c.sn_account.Trim + ", " + name + ", " + road + ", "
+ postcode + ", " + city + ", " + country + ", " + name + ")"
I am then getting an error when it comes to the record:
B010, Charles Birt & Co, Loch House, null, Tenby, Dyfed, Charles Birt & Co
I though that this may be the '&' in the data so I have tried replacing it with || chr(38) || and also escaping it using \& but these do not work. Also I tried setting the postcode to various things like 'N/A', ' ' and null because this particular record doesn't have a postcode but this still gives the error.
Don't know if its the data or the query, any suggestions would be great.
Please use parameters when executing SQL commands.
This avoids problems like you encounter in your question and also minimizes SQL injection attacks:
Dim queryInsert As String =
"INSERT INTO customer_company(customer_id, name, street, zip,city,country,comments) values (#customer_id, #name, #street, #zip, #city, #country, #comments)"
Dim cmd as new MySqlCommand(queryInsert, <YourConnection>)
cmd.Parameters.AddWithValue("#customer_id", c.sn_account.Trim)
cmd.Parameters.AddWithValue("#name", name)
cmd.Parameters.AddWithValue("#street", road)
cmd.Parameters.AddWithValue("#zip", postcode)
cmd.Parameters.AddWithValue("#city", city)
cmd.Parameters.AddWithValue("#country", country)
cmd.Parameters.AddWithValue("#comments", name)
cmd.ExecuteNonQuery();
Not too sure if this will fix your problem but, when adding/inserting a value with a String Data Type Column in SQL, you should have ' '.
in your example:
Dim queryInsert As String = "INSERT INTO customer_company(customer_id,
name, street, zip, city,country,comments)
values(" + c.sn_account.Trim + ", '" + name + "', '" + road + "', "
+ postcode + ", '" + city + "', '" + country + "', '" + name + "')"
i dont add ' ' in customer_id and postcode because i think that they are not string date type.
Related
Here's the syntax:
string insert_query = "insert into book_borrow (BookID, MemberID, Date_Borrow, Date_Return) values ('" + BookID + "', '" + MemberID + "', curdate(), dateadd(month,1, getdate()))";
const char* q = insert_query.c_str();
qstate = mysql_query(conn, q);
I have error to query execution Problem! 1305
I want to automatically add return date after current date but I can't get it.
For MySQL, it will be DATE_ADD() not dateadd(), document can be found here.
Also do not trust user input like BookID and MemberID to prevent SQL injection. Try using prepared statements.
Try the below SQL
string insert_query = "insert into book_borrow (BookID, MemberID, Date_Borrow, Date_Return)
values ('" + BookID + "', '" + MemberID + "', CURDATE(), DATE_ADD(CURDATE(), INTERVAL 1 MONTH))";
Can someone help me with the problem that I'm having now?
I have a set of question(survey). When the user done the survey, it will insert to my database.
However, right now, when I submit the survey, it doesn't insert the result into my database.
here is my code:
try {
//Process - Query from SQL
String strSqlnsert = "INSERT INTO Customers (MembershipID, Contact, Email, Address, SurveyStatus, Subscription) VALUES"
+ " ('"+ member_ID + "', " + contact_num + ", '" + email_add + "', '" + mail_add + "' , " + radio_group + "," + receive_info + ")";
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/customers", "root", "password");
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(strSqlnsert);
I've also add in the library for the JDBC in the library folder.
It seems the non numeric values aren't quoted
Instead of
" + email_add + ",
try
'" + email_add + "',
In the below insert statement
INSERT INTO table (field1, field2) VALUES ( 5, 'this is a string');
the 'this is a string' is wrapped in quotes, because field2 is of type VARCHAR. field1 is INT so the value assigned to it (5) doesn't need quoting.
The VALUES list must be in braces too and again, non numeric values must be quoted:
String strSqlnsert = "INSERT INTO Customers (MembershipID, Contact, Email, Address, SurveyStatus, Subscription) VALUES (" + member_ID + ", " + contact_num + ", '" + email_add + "', '" + mail_add + "', '" + radio_group + "', '" + receive_info + "')";
Try to make a prepared statement where you can call setInt or setString method of preparedStatement class . so it will automatically remove string or numeric confusion at all.
BTW preparedStatement is the best way to pass parameter in sql query.don't use Statement class for parameter sql query.
I need help on what I am doing wrong, please.
database called renters
addressID is auto-increment from a table called Property, and included in a table called Renter, I am doing a java assignment.
I connect to the database, and when I try to add a new renter it gives me this error
Error processing the SQL!java.sql.SQLException: Field 'AddressID' doesn't have a default value
Database connection terminated
here is my insert statement:
String addFirstName = txtFirstName.getText();
String addLastName = txtLastName.getText();
String addCellPhone = txtCellPhone.getText();
String addDepositPaid = txtDepositPaid.getText();
String addDepositAmtPaid = txtDepositAmtPaid.getText();
Statement lstatement = conn.createStatement();
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "'," + addDepositAmtPaid + ")";
myStatement.executeUpdate(ls_query); JOptionPane.showMessageDialog(null, "New Renter Added");
;
Have a look at the database schema, probably column AddressID is marked as NOT NULL. You're trying to insert a record without specifying a value for that column, and as there's no default value specified the insert fails.
So, you can either modify the schema and remove the NOT NULL constraint if that makes sense, OR specify a default value for that column, OR provide one with your insert.
But there is another in my opinion major issue with your code: as you are stringing together the insert statement you're wide open to SQL injections. The solution is quite simple, use PreparedStatement, a good tutorial can be found here
Head over to bobby-tables.com, it's a great first introduction to the very frequent problem of SQL injection with recipes on how to avoid them for many languages, including Java. A great resource!
Add AddressID when using Insert command. In general every non default column and non AutoIncrement column must be inserted.
Try
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid,AdressId) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "','" + addDepositAmtPaid + "','0')";
EDIT
Im not experienced in java. But looks like the ; works like in C#.
A INSERT statement usually ends or delimits with ; in other words in MySQL says execute from this point.
Can you give this a try?
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid,AdressId) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "','" + addDepositAmtPaid + "','0');";
So I'm writing a web app in vb.net and I've found myself a bit conceptually stumped with a particular database issue.
Essentially, I have 2 different "templates" for a form. In one, the user fills in a bunch of text fields and submits it, and it's all shipped off to the database. The second template is identical, except it tracks some additional information, so it submits more to the database. Rather than have a pair of tables with a lot of duplicate columns or a single table with a bunch of nulls, I made 1 table that tracks all the information shared by both templates and another table that stores all the "extra stuff" the 2nd template has.
The problem this has created is I need a way to pair the data from the two back together in order to search for the form and then pull the information out of the database. The collective forms are identified by a surrogate auto-incrementing key which is the primary key of the "shared" table. I attempted to set up a foreign key relationship with the "extra stuff" table, but doing so raised an issue on the application side where I'm not sure how to handle a foreign key that references an auto-increment in my insert statement.
To give a code example:
Dim sInsertInto As String
sInsertInto = "INSERT INTO 5why (date, op_id, serial, why1, why2, why3, why4, why5, root_cause, other_notes, lessons, define, template) VALUES (" + _
"'" + f_date + "', " + _
" '" + f_usr + "', " + _
" '" + f_partnum + "', " + _
" '" + f_first + "', " + _
" '" + f_second + "', " + _
" '" + f_third + "', " + _
" '" + f_fourth + "', " + _
" '" + f_fifth + "', " + _
" '" + f_root + "', " + _
" '" + f_notes + "', " + _
" '" + f_lessons + "', " + _
" '" + f_define + "', " + _
" '" + f_temp + "'" + _
")"
Dim sInsertInto2 As String
sInsertInto2 = "INSERT INTO 5why_mbusi (countermeasure, containment, check_it, standardize_counter, point_cause, method_procedure, group_leader, engineer, shop_am, shop_manager) VALUES (" + _
"'" + f_counter + "', " + _
" '" + f_containment + "', " + _
" '" + f_check + "', " + _
" '" + f_standardCounter + "', " + _
" '" + f_pointOfCause + "', " + _
" '" + f_methodAndProc + "', " + _
" '" + f_groupLeader + "', " + _
" '" + f_engineer + "', " + _
" '" + f_shop_A_M + "', " + _
" '" + f_shopManager + ", '" + _
")"
In the first insert statement I'm inserting all the shared information into the "shared" table. I don't have to worry about the auto-increment here because it's all being handled by the database. The second insert statement ships all the extras into the "extra stuff" table, but I can't insert all those things without figuring out something to put into the foreign key, as it can't be null for the purposes of establishing a relationship between the two sets of data. I'm operating under the impression that just setting the foreign key to AI as well would just start it back over at "1," it wouldn't match the AI being generated by the "shared" table.
Any ideas out there on how to handle it? This was kind of tricky to word, so if you need clarification about anything, let me know and I'll do my best to clear it up.
The standard way to handle this is for the second table to not declare its primary key as auto-increment. Instead, you must specify the value of the primary key in your INSERT statement.
If you insert into the second table immediately after the first table, you can use the special function LAST_INSERT_ID() as the value.
Example:
INSERT INTO table1 (foo) VALUES (1234); -- generates a new `id`
INSERT INTO table2 (id, bar) VALUES (LAST_INSERT_ID(), 'abcd');
The LAST_INSERT_ID() function returns the most recently generated auto-increment value by a prior INSERT statement in the same session. There is no chance that other people doing their own inserts in other sessions will compromise this.
PS: This is a separate issue from your original question, but FWIW you should learn to use query parameters instead of stringing together form fields with string concatenation. Using parameters is easier, faster, and more secure.
String sql= "INSERT INTO UserRecord( name, email, contactNo, password, gender, nationality, " +
"dateOfBirth, address, postalCode, secretQuestion, secretAnswer, userType, obsoleteStatus)";
sql += "VALUES('" + name + "','" + email + "','" + cNo + "','" + pwd + "','" +gen + "','" + nationality + "','"
+ dob + "','" + address + "','" + pCode + "','" + secQuestion +"','"+secAnswer + "','"+ userType +"','" + obsoleteStatus + "')";
String sql2= "INSERT INTO PaymentAccount(creditCardNo,creditCardType,expiryDate,CVV)";
sql2 += "VALUES('" + cCardNo + "','" + cCardType + "','" + expiryDate + "','" + cvv + "')";
Hi guys,i have do some research on the internet on using the Start Transaction and try to implement it but it seems that i always got error. The sql that i provide is perfect but i need someone who can show me how to use the start transaction because i keep messing up with the "".Thanks guys in advance
First you should learn about prepared statements. Your code is pure SQL injection junk. Throw it away. Handling credit card numbers with such code is the best way to get fired.
Second you have to disable auto commit for your database connection. This is enabled and prevents transactions, because after each statement a commit is done by the driver. After that you can execute explicit commits.