String sql= "INSERT INTO UserRecord( name, email, contactNo, password, gender, nationality, " +
"dateOfBirth, address, postalCode, secretQuestion, secretAnswer, userType, obsoleteStatus)";
sql += "VALUES('" + name + "','" + email + "','" + cNo + "','" + pwd + "','" +gen + "','" + nationality + "','"
+ dob + "','" + address + "','" + pCode + "','" + secQuestion +"','"+secAnswer + "','"+ userType +"','" + obsoleteStatus + "')";
String sql2= "INSERT INTO PaymentAccount(creditCardNo,creditCardType,expiryDate,CVV)";
sql2 += "VALUES('" + cCardNo + "','" + cCardType + "','" + expiryDate + "','" + cvv + "')";
Hi guys,i have do some research on the internet on using the Start Transaction and try to implement it but it seems that i always got error. The sql that i provide is perfect but i need someone who can show me how to use the start transaction because i keep messing up with the "".Thanks guys in advance
First you should learn about prepared statements. Your code is pure SQL injection junk. Throw it away. Handling credit card numbers with such code is the best way to get fired.
Second you have to disable auto commit for your database connection. This is enabled and prevents transactions, because after each statement a commit is done by the driver. After that you can execute explicit commits.
Related
String query = "insert into course_data values(null," + CourseName + ","
+ SCrsDesrpTemp + "," + CrsDes + "," + crsurl + ","
+ youtube + "," + sqlStrDate + "," + crsduration + ","
+ CrsImg + "," + "'Open2Study', 'Free', 'English', 'Yes'," + CrsImgUni + date + ")";
I keep getting syntax errors. The variable names are strings that hold values from scraped websites. I printed them out and they work fine, they all are of type string. But for some reason, I keep getting syntax error in the SQL query.
When presented to the database like this, string (and date) values need to be in single quotes.
String query = "insert into course_data values(null,'" + CourseName + "','"
+ SCrsDesrpTemp + "','" + CrsDes + "','" + crsurl + "','"
+ youtube + "','" + sqlStrDate + "','" + crsduration + "','"
+ CrsImg + "'," + "'Open2Study', 'Free', 'English', 'Yes','" + CrsImgUni + date + "')";
The last part may be incorrect "CrsImgUni + date" and you may need to ensure that dates are formatted correctly.
See also What is SQL injection?
String query = "insert into course_data
values (null, '"
+ CourseName + "','"
+ SCrsDesrpTemp + "','"
+ CrsDes + "','"
+ crsurl + "','"
+ youtube + "','"
+ sqlStrDate + "','"
+ crsduration + "','"
+ CrsImg + "','"
+ category + "',"
+ "'Open2Study',
'0.00',
'English',
'Yes','"
+ CrsImgUni + "','"
+ "GETDATE()" + "')";
That is my attempt above. I am trying to insert the current date and time into a date-time column but I keep getting syntax error for the query. It says GETDATE() is not the correct datatype for the column date-time.
Try this for Sql Server:-
ALTER TABLE course_data ADD CONSTRAINT
DF_MyTable_Inserted DEFAULT GETDATE() FOR crsduration
GO
This assumes your table is named course_data, the column is crsduration, and the name of the contstraint is to be DF_MyTable_Inserteddb in
If db in MySQL NOW() for get current date time
NOW()//Current date time
CURDATE()//Current date
String status = "active", nit = "", grniid = "", sumn = "";
try {
Connection ss = Class_DB.myconnection();
Statement st = ss.createStatement();
ResultSet rs = st.executeQuery("select stock_in_hand from item_supplier where item_ID =('" + TF_GRN_ITEMID.getSelectedItem() + "')");
grniid = TF_GRN_NO_OF_ITEM.getText();
int aa = Integer.parseInt(grniid);
while (rs.next()) {
nit = rs.getString("stock_in_hand");
}
int bb = Integer.parseInt(nit);
sumn = grniid + nit;
int cc = Integer.parseInt(sumn);
st.executeUpdate("insert into grn1 values('" + TF_GRN_GRNNO.getText() + "','" + TF_GRN_SUPPLIERID.getSelectedItem() + "','" + TF_GRN_AMOUNT.getText() + "','" + TF_GRN_DATE.getText() + "')");
st.executeUpdate("insert into grn2 values('" + TF_GRN_GRNNO.getText() + "','" + TF_GRN_ITEMID.getSelectedItem() + "','" + TF_GRN_EXP_DATE.getText() + "','" + TF_GRN_TAX.getText() + "','" + TF_GRN_NO_OF_ITEM.getText() + "','" + TF_GRN_GAMOUNT.getText() + "','" + TF_GRN_NAMOUNT.getText() + "','" + TF_GRN_QTY.getText() + "','" + TF_GRN_UNIT.getText() + "','" + TF_GRN_FREE.getText() + "','" + TF_GRN_DIS.getText() + "')");
st.executeUpdate("update item_supplier set stock_in_hand='" + cc + "' where item_ID='" + TF_GRN_ITEMID.getSelectedItem() + "'");
JOptionPane.showMessageDialog(null, "Data Saved");
clearing();
} catch (Exception ex) {
JOptionPane.showMessageDialog(null, "There is some error.Please contact admin");
ex.printStackTrace();
}
This is the GRN Query. GRN stands for Good Receive Note.
When we recieve Goods/Items from the supplier the company receives a GRN.
The Details of the items will be included in the GRN.
These data/details will be inserted in GRN1 table, GRN2 table and item_Supplier table will be updated according to it.
nit is the variable, using item_id table and item supplier table, stock in hand will be retrieved.
bb is the variable used to pass nit to an integer.
grnid is No of items which we type in the interface will be included in grnidvariable.
aa is the variable used to pass grnid to integer.
class_DB - connection class of the database.
Our problem is
1) he is inserted to GRN1 and GRN2 tables, but item_supplier table is not updated.
2) We want to know if our calculation is correct or not.
I need help on what I am doing wrong, please.
database called renters
addressID is auto-increment from a table called Property, and included in a table called Renter, I am doing a java assignment.
I connect to the database, and when I try to add a new renter it gives me this error
Error processing the SQL!java.sql.SQLException: Field 'AddressID' doesn't have a default value
Database connection terminated
here is my insert statement:
String addFirstName = txtFirstName.getText();
String addLastName = txtLastName.getText();
String addCellPhone = txtCellPhone.getText();
String addDepositPaid = txtDepositPaid.getText();
String addDepositAmtPaid = txtDepositAmtPaid.getText();
Statement lstatement = conn.createStatement();
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "'," + addDepositAmtPaid + ")";
myStatement.executeUpdate(ls_query); JOptionPane.showMessageDialog(null, "New Renter Added");
;
Have a look at the database schema, probably column AddressID is marked as NOT NULL. You're trying to insert a record without specifying a value for that column, and as there's no default value specified the insert fails.
So, you can either modify the schema and remove the NOT NULL constraint if that makes sense, OR specify a default value for that column, OR provide one with your insert.
But there is another in my opinion major issue with your code: as you are stringing together the insert statement you're wide open to SQL injections. The solution is quite simple, use PreparedStatement, a good tutorial can be found here
Head over to bobby-tables.com, it's a great first introduction to the very frequent problem of SQL injection with recipes on how to avoid them for many languages, including Java. A great resource!
Add AddressID when using Insert command. In general every non default column and non AutoIncrement column must be inserted.
Try
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid,AdressId) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "','" + addDepositAmtPaid + "','0')";
EDIT
Im not experienced in java. But looks like the ; works like in C#.
A INSERT statement usually ends or delimits with ; in other words in MySQL says execute from this point.
Can you give this a try?
ls_query = "INSERT INTO Renter (FirstName,LastName,CellPhone,DepositPaid,DepositAmtPaid,AdressId) VALUES('" + addFirstName + "','" + addLastName + "','" + addCellPhone + "','" + addDepositPaid + "','" + addDepositAmtPaid + "','0');";
So I'm writing a web app in vb.net and I've found myself a bit conceptually stumped with a particular database issue.
Essentially, I have 2 different "templates" for a form. In one, the user fills in a bunch of text fields and submits it, and it's all shipped off to the database. The second template is identical, except it tracks some additional information, so it submits more to the database. Rather than have a pair of tables with a lot of duplicate columns or a single table with a bunch of nulls, I made 1 table that tracks all the information shared by both templates and another table that stores all the "extra stuff" the 2nd template has.
The problem this has created is I need a way to pair the data from the two back together in order to search for the form and then pull the information out of the database. The collective forms are identified by a surrogate auto-incrementing key which is the primary key of the "shared" table. I attempted to set up a foreign key relationship with the "extra stuff" table, but doing so raised an issue on the application side where I'm not sure how to handle a foreign key that references an auto-increment in my insert statement.
To give a code example:
Dim sInsertInto As String
sInsertInto = "INSERT INTO 5why (date, op_id, serial, why1, why2, why3, why4, why5, root_cause, other_notes, lessons, define, template) VALUES (" + _
"'" + f_date + "', " + _
" '" + f_usr + "', " + _
" '" + f_partnum + "', " + _
" '" + f_first + "', " + _
" '" + f_second + "', " + _
" '" + f_third + "', " + _
" '" + f_fourth + "', " + _
" '" + f_fifth + "', " + _
" '" + f_root + "', " + _
" '" + f_notes + "', " + _
" '" + f_lessons + "', " + _
" '" + f_define + "', " + _
" '" + f_temp + "'" + _
")"
Dim sInsertInto2 As String
sInsertInto2 = "INSERT INTO 5why_mbusi (countermeasure, containment, check_it, standardize_counter, point_cause, method_procedure, group_leader, engineer, shop_am, shop_manager) VALUES (" + _
"'" + f_counter + "', " + _
" '" + f_containment + "', " + _
" '" + f_check + "', " + _
" '" + f_standardCounter + "', " + _
" '" + f_pointOfCause + "', " + _
" '" + f_methodAndProc + "', " + _
" '" + f_groupLeader + "', " + _
" '" + f_engineer + "', " + _
" '" + f_shop_A_M + "', " + _
" '" + f_shopManager + ", '" + _
")"
In the first insert statement I'm inserting all the shared information into the "shared" table. I don't have to worry about the auto-increment here because it's all being handled by the database. The second insert statement ships all the extras into the "extra stuff" table, but I can't insert all those things without figuring out something to put into the foreign key, as it can't be null for the purposes of establishing a relationship between the two sets of data. I'm operating under the impression that just setting the foreign key to AI as well would just start it back over at "1," it wouldn't match the AI being generated by the "shared" table.
Any ideas out there on how to handle it? This was kind of tricky to word, so if you need clarification about anything, let me know and I'll do my best to clear it up.
The standard way to handle this is for the second table to not declare its primary key as auto-increment. Instead, you must specify the value of the primary key in your INSERT statement.
If you insert into the second table immediately after the first table, you can use the special function LAST_INSERT_ID() as the value.
Example:
INSERT INTO table1 (foo) VALUES (1234); -- generates a new `id`
INSERT INTO table2 (id, bar) VALUES (LAST_INSERT_ID(), 'abcd');
The LAST_INSERT_ID() function returns the most recently generated auto-increment value by a prior INSERT statement in the same session. There is no chance that other people doing their own inserts in other sessions will compromise this.
PS: This is a separate issue from your original question, but FWIW you should learn to use query parameters instead of stringing together form fields with string concatenation. Using parameters is easier, faster, and more secure.