I'm working with MySQL and their last available JDBC driver, on a User table with NOT NULL constraints on all its fields, which are id, name, password and email.
In my Java EE application, I first called a simple Statement this way :
statement = connection.createStatement();
statement.executeUpdate( "INSERT INTO User (name, password, email) "
+ "VALUES ('" + paramName + "', '" + paramPassword + "', '" + paramEmail + "');" );
Where paramName, paramPassword and paramEmail are strings. I passed empty strings to this request, and a new line with empty values got successfully inserted in the table, since MySQL considers empty strings different than null entries.
Then, I used a PreparedStatement instead :
preparedStatement = connection.prepareStatement( "INSERT INTO User (name, password, email) VALUES(?, ?, ?);" );
preparedStatement.setString( 1, paramName );
preparedStatement.setString( 2, paramPassword );
preparedStatement.setString( 3, paramEmail );
preparedStatement.executeUpdate();
But this time, when I passed empty strings to the request, I got the following error :
com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Column 'name' cannot be null
So here's my question : does the PreparedStatement, or maybe its setString() method, convert empty strings to null values? I looked it up and didn't find any information about this behavior in the javadoc.
The documentation of java.sql.PreparedStatatement didn't say anything about this in the method setString. I take a look at the sources of the MySQL ConnectorJ and I didn't find anything too. Are you sure that your String is not null?
The answer is NO. Please make sure that the value of your parameters are not null. Maybe your variable paramName is NULL.
Related
i have a problem with doing parameterized upsert commands over odbc.
Thats the upsert command
Dim upsert As New OdbcCommand
upsert.Connection = connection
upsert.CommandText = "
INSERT INTO products_replacement
(products_model, products_replacement)
VALUES
(#products_model, #products_replacement)
ON DUPLICATE KEY UPDATE products_replacement = #products_replacement;
"
upsert.Parameters.Add("#products_replacement", OdbcType.VarChar)
upsert.Parameters.Add("#products_model", OdbcType.VarChar)
For Each Product In ListOfProducts
upsert.Parameters.Item("#products_replacement").Value = Product.Value
upsert.Parameters.Item("#products_model").Value = Product.Key
upsert.ExecuteNonQuery()
NEXT
Error message: "ERROR [HY000] [MySQL][ODBC 5.1 Driver][mysqld-5.7.30]Column 'products_model' cannot be null"
In the Debugger the values of the parameters are correctly set.
Something like that works
upsert.Commandtext = upsert.Commandtext.Replace("#products_replacement", $"'{Product.Value}'").Replace("#products_model", $"'{Product.Key}'")
upsert.ExecuteNonQuery()
ListOfProducts is a Dictionary(Of String, String)
Error handling and other stuff is stripped from my above example code.
Parameterized querys are prefered and i had no problems doing the same with MS SQL...
What am I missing?
Help is appreciated.
ODBC doesn't use named parameters
You can give them names in the SQL, but you should then imagine that they all get transformed into ? and are treated positionally by the driver; the name is meaningless
This means you need to add as many parameters to your VB Command.Parameters collection as your statement contains, even if it means repeating values - you cannot reuse VB parameters them by repeating the name in the SQL. The name is still semi useful in VB for indexing purposes:
Dim upsert As New OdbcCommand
upsert.Connection = connection
upsert.CommandText = "
INSERT INTO products_replacement
(products_model, products_replacement)
VALUES
(?, ?)
ON DUPLICATE KEY UPDATE products_replacement = ?;
"
upsert.Parameters.Add("#pmod", OdbcType.VarChar)
upsert.Parameters.Add("#prep1", OdbcType.VarChar)
upsert.Parameters.Add("#prep2", OdbcType.VarChar)
For Each Product In ListOfProducts
upsert.Parameters.Item("#pmod").Value = Product.Value
upsert.Parameters.Item("#prep1").Value = Product.Key
upsert.Parameters.Item("#prep2").Value = Product.Key
upsert.ExecuteNonQuery()
NEXT
I am trying to run a SQL query using Oracle's json_value() function using a PreparedStatement.
Assume the following table setup:
drop table foo cascade constraints purge;
create table foo
(
id integer primary key,
payload clob,
constraint ensure_json check (payload IS JSON STRICT)
);
insert into foo values (1, '{"data": {"k1": 1, "k2": "foo"}}');
The following SQL query works fine:
select *
from foo
where json_value(payload, '$.data.k1') = '1'
and returns the expected row.
However, when I try to run this query using a PreparedStatement like in the the following piece of code:
String sql =
"select *\n" +
"from foo\n" +
"where json_value(payload, ?) = ?";
PreparedStatement pstmt = conection.prepareStatement(sql);
pstmt.setString(1, "$.data.k1");
pstmt.setString(2, "1");
ResultSet rs = pstmt.executeQuery();
(I removed all error checking from the example to keep it simple)
This results in:
java.sql.SQLException: ORA-40454: path expression not a literal
The culprit is passing the json path value (parameter index 1), the second parameter is no problem.
When I replace (only) the first parameter with a String constant json_value(payload, '$.data.k1') = ? the prepared statement works fine.
In a desperate attempt, I also tried including the single quotes in the parameter: pstmt.setString(1, "'$.data.k1'") but not surprisingly, Oracle wouldn't accept it either (same error message).
I also tried using json_value(payload, concat('$.', ?) ) and only passing "data.k1" as the parameter - same result.
So, the question is:
How can I pass a JSON path expression to Oracle's json_value function using a PreparedStatement parameter?
Any ideas? Is this a bug in the driver or in Oracle? (I couldn't find anything on My Oracle Support)
Or is this simply a case of "not implemented"?
Environment:
I am using Oracle 18.0
I tried the 18.3 and 19.3 version of the ojdbc10.jar driver together with OpenJDK 11.
It isn't the driver - you get the same thing with dynamic SQL:
declare
result foo%rowtype;
begin
execute immediate 'select *
from foo
where json_value(payload, :1) = :2'
into result using '$.data.k1', '1';
dbms_output.put_line(result.payload);
end;
/
ORA-40454: path expression not a literal
ORA-06512: at line 4
And it isn't really a bug, it's documented (emphasis added):
JSON_basic_path_expression
Use this clause to specify a SQL/JSON path expression. The function uses the path expression to evaluate expr and find a scalar JSON value that matches, or satisfies, the path expression. The path expression must be a text literal. See Oracle Database JSON Developer's Guide for the full semantics of JSON_basic_path_expression.
So you would have to embed the path literal, rather than bind it, unfortunately:
declare
result foo%rowtype;
begin
execute immediate 'select *
from foo
where json_value(payload, ''' || '$.data.k1' || ''') = :1'
into result using '1';
dbms_output.put_line(result.payload);
end;
/
1 rows affected
dbms_output:
{"data": {"k1": 1, "k2": "foo"}}
or for your JDBC example (keeping the path as a separate string as you presumably want that to be a variable really):
String sql =
"select *\n" +
"from foo\n" +
"where json_value(payload, '" + "$.data.k1" + "') = ?";
PreparedStatement pstmt = conection.prepareStatement(sql);
pstmt.setString(1, "1");
ResultSet rs = pstmt.executeQuery();
Which obviously isn't what you want to do*, but there doesn't seem to be an alternative. Other than turning your query into a function and passing the path variable in to that, but then the function would have to use dynamic SQL, so the effect is much the same - maybe easier to handle SQL injection concerns that way though.
* and I'm aware you know how to do this the embedded way, and know you want to use bind variables because that's the correct thing to do; I've spelled it out more than you need for other visitors *8-)
I'm currently trying to insert new data into an existing table in my database using embedded SQL. I need to be able to enter my data in a dialog box and then have it shown back to me in a dialog box after it has executed.
My problem seems to be with the "s.executeUpdate(input);" for it tells me that I have an error in MySQL syntax. I'm not really sure how to fix it, or how to change the syntax. Help would be much appreciated!
Connection c = null;
try {
Class.forName("com.mysql.jdbc.Driver");
c = DriverManager.getConnection("jdbc:mysql://localhost:3306/company - final project", "root", "");
String query = "INSERT INTO works_on (ESSN, PNO, HOURS)" + "Values (?, ?, ?)";
Statement s = c.prepareStatement(query);
String input = JOptionPane.showInputDialog(null, "Info to be Inserted: ");
s.executeUpdate(input);
JOptionPane.showMessageDialog(null, "Data Inserted: " + input);
c.close();
}
catch (Exception e)
{
e.printStackTrace();
}
You're prepared statement requires 3 parameters, but you did not add any. need to call s.addXXX in the proper order to specify the 3 values to insert, wheres "XXX" is the appropriate type for the values
I have this query:
$sql = "
INSERT INTO table SET
name = '$name',
sku = '$number',
description = '$desc'
";
But the rows containing some special characters (in my case this ') are not inserted.. How I can solve?
Thanks in advance.
When you construct your query, you need to escape the data you are inserting.
You need to at least use addslashes() function in PHP, like this:
$sql = "INSERT INTO table SET name = '".addslashes($name)."', sku = '".addslashes($number)."', description = '".addslashes($desc)."'";
However more correct way is to use a different function than addslashes, which would properly handle all characters in the data, not only apostrophes.
I am using my custom 'escape' function like this:
function escape($text)
{
return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $text);
}
So using this function, you would write:
$sql = "INSERT INTO table SET name = '".escape($name)."', sku = '".escape($number)."', description = '".escape($desc)."'";
You must use parameterised queries instead of manually appending those values. Currently if name, number or description would contain any sql it would get executed.
A lot more detailed answer is in How can I prevent SQL injection in PHP?
Read about escaping characters in mysql. I think it is done with \
I have an issue with an sql statement and i dont know how to handle it. Here is the problem:
query = "INSERT INTO `mmr`(`userID`, `RunningProjects`, `MainOrders`) VALUES ("
+ session.getAttribute("id")
+ ",'"
+ request.getParameter("RunningProjects")
+ "','"
+ request.getParameter("MainOrders")')";
The values are obtained from the post form which contains free text. The problem is, whenever a user enters characters like ', i will get an error because that tells the compiler that the value is over here(i suppose) and now look for the next value. I don't know how to include these characters and send them to database without having an error. Any help would be appreciated. Thank you.
The character ' is used to surround literals in MySQL. And if any data contains such character as part of it, we have to escape it. This can be done using Prepared Statement in Java.
Change your query code accordingly.
query = "INSERT INTO `mmr`(`userID`, `RunningProjects`, `MainOrders`)
VALUES ( ?, ?,? )";
Now define a PreparedStatement instance and use it to bind values.
PreparedStatement pst = con.prepareStatement( query );
pst.setString( 1, session.getAttribute("id") );
pst.setString( 2, request.getParameter("RunningProjects") );
pst.setString( 3, request.getParameter("MainOrders") );
int result = pst.executeUpdate();
And, I suggest use of beans to handle business logic.
change
query = "INSERT INTO `mmr`(`userID`, `RunningProjects`, `MainOrders`) VALUES ("
+ session.getAttribute("id")
+ ",'"
+ request.getParameter("RunningProjects")
+ "','"
+ request.getParameter("MainOrders")
+ "')";
I think you are using normal statement in your JDBC code. Instead, I would suggest you to use Prepared statement. Prepared statement is generally used to eliminate this kind of problem and caching issue. If you will use prepared statement I think your problem will be solved