Can someone help me with the problem that I'm having now?
I have a set of question(survey). When the user done the survey, it will insert to my database.
However, right now, when I submit the survey, it doesn't insert the result into my database.
here is my code:
try {
//Process - Query from SQL
String strSqlnsert = "INSERT INTO Customers (MembershipID, Contact, Email, Address, SurveyStatus, Subscription) VALUES"
+ " ('"+ member_ID + "', " + contact_num + ", '" + email_add + "', '" + mail_add + "' , " + radio_group + "," + receive_info + ")";
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3307/customers", "root", "password");
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(strSqlnsert);
I've also add in the library for the JDBC in the library folder.
It seems the non numeric values aren't quoted
Instead of
" + email_add + ",
try
'" + email_add + "',
In the below insert statement
INSERT INTO table (field1, field2) VALUES ( 5, 'this is a string');
the 'this is a string' is wrapped in quotes, because field2 is of type VARCHAR. field1 is INT so the value assigned to it (5) doesn't need quoting.
The VALUES list must be in braces too and again, non numeric values must be quoted:
String strSqlnsert = "INSERT INTO Customers (MembershipID, Contact, Email, Address, SurveyStatus, Subscription) VALUES (" + member_ID + ", " + contact_num + ", '" + email_add + "', '" + mail_add + "', '" + radio_group + "', '" + receive_info + "')";
Try to make a prepared statement where you can call setInt or setString method of preparedStatement class . so it will automatically remove string or numeric confusion at all.
BTW preparedStatement is the best way to pass parameter in sql query.don't use Statement class for parameter sql query.
Related
Here's the syntax:
string insert_query = "insert into book_borrow (BookID, MemberID, Date_Borrow, Date_Return) values ('" + BookID + "', '" + MemberID + "', curdate(), dateadd(month,1, getdate()))";
const char* q = insert_query.c_str();
qstate = mysql_query(conn, q);
I have error to query execution Problem! 1305
I want to automatically add return date after current date but I can't get it.
For MySQL, it will be DATE_ADD() not dateadd(), document can be found here.
Also do not trust user input like BookID and MemberID to prevent SQL injection. Try using prepared statements.
Try the below SQL
string insert_query = "insert into book_borrow (BookID, MemberID, Date_Borrow, Date_Return)
values ('" + BookID + "', '" + MemberID + "', CURDATE(), DATE_ADD(CURDATE(), INTERVAL 1 MONTH))";
I am using VB.net to access a MySQL database and insert data into this table.
I am getting this data from an opera database, the query I am using is:
Dim queryInsert As String = "INSERT INTO customer_company(customer_id, name, street, zip,
city,country,comments) values(" + c.sn_account.Trim + ", " + name + ", " + road + ", "
+ postcode + ", " + city + ", " + country + ", " + name + ")"
I am then getting an error when it comes to the record:
B010, Charles Birt & Co, Loch House, null, Tenby, Dyfed, Charles Birt & Co
I though that this may be the '&' in the data so I have tried replacing it with || chr(38) || and also escaping it using \& but these do not work. Also I tried setting the postcode to various things like 'N/A', ' ' and null because this particular record doesn't have a postcode but this still gives the error.
Don't know if its the data or the query, any suggestions would be great.
Please use parameters when executing SQL commands.
This avoids problems like you encounter in your question and also minimizes SQL injection attacks:
Dim queryInsert As String =
"INSERT INTO customer_company(customer_id, name, street, zip,city,country,comments) values (#customer_id, #name, #street, #zip, #city, #country, #comments)"
Dim cmd as new MySqlCommand(queryInsert, <YourConnection>)
cmd.Parameters.AddWithValue("#customer_id", c.sn_account.Trim)
cmd.Parameters.AddWithValue("#name", name)
cmd.Parameters.AddWithValue("#street", road)
cmd.Parameters.AddWithValue("#zip", postcode)
cmd.Parameters.AddWithValue("#city", city)
cmd.Parameters.AddWithValue("#country", country)
cmd.Parameters.AddWithValue("#comments", name)
cmd.ExecuteNonQuery();
Not too sure if this will fix your problem but, when adding/inserting a value with a String Data Type Column in SQL, you should have ' '.
in your example:
Dim queryInsert As String = "INSERT INTO customer_company(customer_id,
name, street, zip, city,country,comments)
values(" + c.sn_account.Trim + ", '" + name + "', '" + road + "', "
+ postcode + ", '" + city + "', '" + country + "', '" + name + "')"
i dont add ' ' in customer_id and postcode because i think that they are not string date type.
I have an SSRS report with a datasource connecting to Oracle db, that then uses a transparent gateway to pull DB2 data. Due to using date range validation, and to have an optional parameter, I am using a udf to build the sql statement dynamically. This works well...
Public Function getData(FromDate AS DATE, ToDate AS DATE, Plant AS STRING, PartNumber AS STRING, ExtTxnCd AS STRING, DateRangeValid AS STRING) AS STRING
Dim sqlStmt AS STRING = ""
sqlStmt = "SELECT ITEM_NO, TXN_DATE, TXN_TIME, QUANTITY, ITEM_DESC, PLANT_NO, ORDER_NO, INT_TXN_CD, EXT_TXN_CD, AREA||ROW||BIN||SHELF Secondary_Loc FROM TABLEA, TABLEB"
sqlStmt = sqlStmt + " WHERE TXN_DATE >= '" + FromDate + "'"
sqlStmt = sqlStmt + " AND TXN_DATE < '" + ToDate + "'"
sqlStmt = sqlStmt + " AND PLANT_NO = '" + Plant + "'"
IF PartNumber <> Nothing THEN
sqlStmt = sqlStmt + " AND REPLACE(ITEM_NO,' ','') = '" + PartNumber + "'"
END IF
sqlStmt = sqlStmt + " AND EXT_TXN_CD = '" + ExtTxnCd + "'"
sqlStmt = sqlStmt + " AND 'True' = '" + DateRangeValid + "'"
sqlStmt = sqlStmt + " AND A_INT_TXN_CD||A_TXN_DESC_CODE = B_INT_TXN_CD||B_TXN_TYPE_CD ORDER BY TXN_DATE, TXN_TIME"
RETURN sqlStmt
END Function
The issue arises in the requirement to have one of the report parameters (ExtTxnCd) allow multiple values to be selected (I've done so many times, just not yet when building the sql statement dynamically like this). If I were to hardcode it, that condition would look something like...
AND EXT_TXN_CD IN ('ABC123','ABC234','ABC678', 'ABC789')
When I change the parameter property to allow multiple values, and change 2 lines in the function's where clause to:
sqlStmt = sqlStmt + " AND THF_EXT_TXN_CD IN ('" + ExtTxnCd + "'"
sqlStmt = sqlStmt + ") AND 'True' = '" + DateRangeValid + "'"
...and try running the report, I get an error:
'Cannot add multiple value query parameter '#ExtTxnCd' for dataset
'Dataset1' because it is not supported by the data extension.'
Then I changed my dataset query, call to the function, to pass in that parameter value as Join(Parameters!ExtTxnCd.Value,","), and in the dataset parameters, changed that parameter's value to also use the JOIN. Now I don't get the errors, but I get no data returned when expecting data based on the parameters selected.
I believe the issue is that the parameter values ... 'ABC123,ABC234,etc..' is being passed in as comma-separated values but as one long string value, rather than each value being passed in being wrapped in single quotes. How would I build the dynamic sql statement with each value in single quotes?
You need to separate the parameters with quotes. Try Join(Parameters!ExtTxnCd.Value, "','")
This means your string is being built in two places however: the intervening quotes and commas in SSRS and the brackets and outside quotes by your Oracle udf. It would be less confusing to build it all in the one spot, so SSRS becomes:
"('" & Join(Parameters!ExtTxnCd.Value, "','") & "')"
and in the Oracle udf it is simply:
sqlStmt = sqlStmt + " AND THF_EXT_TXN_CD IN " + ExtTxnCd
I need help on what I am doing wrong, please.
database called renters
addressID is auto-increment from a table called Property, and included in a table called Renter, I am doing a java assignment.
I connect to the database, and when I try to add a new renter it gives me this error
Error processing the SQL!java.sql.SQLException: Field 'AddressID' doesn't have a default value
Database connection terminated
here is my insert statement:
String addFirstName = txtFirstName.getText();
String addLastName = txtLastName.getText();
String addCellPhone = txtCellPhone.getText();
String addDepositPaid = txtDepositPaid.getText();
String addDepositAmtPaid = txtDepositAmtPaid.getText();
Statement lstatement = conn.createStatement();
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "'," + addDepositAmtPaid + ")";
myStatement.executeUpdate(ls_query); JOptionPane.showMessageDialog(null, "New Renter Added");
;
Have a look at the database schema, probably column AddressID is marked as NOT NULL. You're trying to insert a record without specifying a value for that column, and as there's no default value specified the insert fails.
So, you can either modify the schema and remove the NOT NULL constraint if that makes sense, OR specify a default value for that column, OR provide one with your insert.
But there is another in my opinion major issue with your code: as you are stringing together the insert statement you're wide open to SQL injections. The solution is quite simple, use PreparedStatement, a good tutorial can be found here
Head over to bobby-tables.com, it's a great first introduction to the very frequent problem of SQL injection with recipes on how to avoid them for many languages, including Java. A great resource!
Add AddressID when using Insert command. In general every non default column and non AutoIncrement column must be inserted.
Try
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid,AdressId) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "','" + addDepositAmtPaid + "','0')";
EDIT
Im not experienced in java. But looks like the ; works like in C#.
A INSERT statement usually ends or delimits with ; in other words in MySQL says execute from this point.
Can you give this a try?
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid,AdressId) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "','" + addDepositAmtPaid + "','0');";
So I'm writing a web app in vb.net and I've found myself a bit conceptually stumped with a particular database issue.
Essentially, I have 2 different "templates" for a form. In one, the user fills in a bunch of text fields and submits it, and it's all shipped off to the database. The second template is identical, except it tracks some additional information, so it submits more to the database. Rather than have a pair of tables with a lot of duplicate columns or a single table with a bunch of nulls, I made 1 table that tracks all the information shared by both templates and another table that stores all the "extra stuff" the 2nd template has.
The problem this has created is I need a way to pair the data from the two back together in order to search for the form and then pull the information out of the database. The collective forms are identified by a surrogate auto-incrementing key which is the primary key of the "shared" table. I attempted to set up a foreign key relationship with the "extra stuff" table, but doing so raised an issue on the application side where I'm not sure how to handle a foreign key that references an auto-increment in my insert statement.
To give a code example:
Dim sInsertInto As String
sInsertInto = "INSERT INTO 5why (date, op_id, serial, why1, why2, why3, why4, why5, root_cause, other_notes, lessons, define, template) VALUES (" + _
"'" + f_date + "', " + _
" '" + f_usr + "', " + _
" '" + f_partnum + "', " + _
" '" + f_first + "', " + _
" '" + f_second + "', " + _
" '" + f_third + "', " + _
" '" + f_fourth + "', " + _
" '" + f_fifth + "', " + _
" '" + f_root + "', " + _
" '" + f_notes + "', " + _
" '" + f_lessons + "', " + _
" '" + f_define + "', " + _
" '" + f_temp + "'" + _
")"
Dim sInsertInto2 As String
sInsertInto2 = "INSERT INTO 5why_mbusi (countermeasure, containment, check_it, standardize_counter, point_cause, method_procedure, group_leader, engineer, shop_am, shop_manager) VALUES (" + _
"'" + f_counter + "', " + _
" '" + f_containment + "', " + _
" '" + f_check + "', " + _
" '" + f_standardCounter + "', " + _
" '" + f_pointOfCause + "', " + _
" '" + f_methodAndProc + "', " + _
" '" + f_groupLeader + "', " + _
" '" + f_engineer + "', " + _
" '" + f_shop_A_M + "', " + _
" '" + f_shopManager + ", '" + _
")"
In the first insert statement I'm inserting all the shared information into the "shared" table. I don't have to worry about the auto-increment here because it's all being handled by the database. The second insert statement ships all the extras into the "extra stuff" table, but I can't insert all those things without figuring out something to put into the foreign key, as it can't be null for the purposes of establishing a relationship between the two sets of data. I'm operating under the impression that just setting the foreign key to AI as well would just start it back over at "1," it wouldn't match the AI being generated by the "shared" table.
Any ideas out there on how to handle it? This was kind of tricky to word, so if you need clarification about anything, let me know and I'll do my best to clear it up.
The standard way to handle this is for the second table to not declare its primary key as auto-increment. Instead, you must specify the value of the primary key in your INSERT statement.
If you insert into the second table immediately after the first table, you can use the special function LAST_INSERT_ID() as the value.
Example:
INSERT INTO table1 (foo) VALUES (1234); -- generates a new `id`
INSERT INTO table2 (id, bar) VALUES (LAST_INSERT_ID(), 'abcd');
The LAST_INSERT_ID() function returns the most recently generated auto-increment value by a prior INSERT statement in the same session. There is no chance that other people doing their own inserts in other sessions will compromise this.
PS: This is a separate issue from your original question, but FWIW you should learn to use query parameters instead of stringing together form fields with string concatenation. Using parameters is easier, faster, and more secure.