I'm trying to use the prepareStatement function. The code is below. After it executes, it returns me a bunch of vlicense strings instead of the values.
When the code finishing the statement.setString(), the statement becomes:
select 'vlicense' from Vehicle
However, it needs to be:
select vlicense from Vehicle
without the quotation marks. Can anyone tell me what's the problem?
statement = oConnection.prepareStatement("select ? from Vehicle");
String tempString = "vlicense";
statement.setString(1, tempString);
resultSet = statement.executeQuery();
You can't use parameter markers for column names, table names, data type names, or basically anything that isn't data.
When you add a bind variable to a statement like this it is escaped, so that actual SQL string in your example would go to the database as "SELECT 'vlicense' FROM Vehicle', selecting a literal string instead of the column name you want.
You need to concatenate that variable column name into your SQL statement before you prepare it:
statement = oConnection.prepareStatement("SELECT " + vlicense + " FROM Vehicle");
Bind variables are really for query parameters as opposed to dynamic queries.
The ? can't be used to specify the fields, just to do some filters in your query like:
statement = conn.prepareStatement("select field from Vehicle where name=?");
In your case your query is built as:
select 'vlicense' from Vehicle
which means: GET ME A STRING 'vlicense' FOR EACH RECORD OF 'Vehicle'. And you'll get n repeated strings depending on the number of records in your table
It has nothing to do with jdbc, prepared-statements or mysql.
It's just a wrong sql statement.
If you type:
Select 'justanexample' from Vehicle
and the table contains 4 lines, you will get 4 times
'justanexample'
'justanexample'
'justanexample'
'justanexample'
as result.
You did not specify your the table structure, but I guess the
statement should somehow look like this:
select * from Vehicle where license = ?
Related
I am using spring and hibernate in my project. This is My Query. When I execute this query I am getting data from DB. But if I frame the query like this I am getting 0 records.
String fullname1 = "this is my String";
select name,gender from account where fullname='fullname1';
If I create query like this I am getting data. But fullname1 is not a static data.
select name,gender from account where fullname like '%this%';
Problem is if my fullname1 is have only one word then I am getting proper data. If it has multiple words I am not getting data.
Can any one suggest me how to frame query in this situation.
Try to concatenate your string to search like this
select name,gender from account where fullname like '%' + yourVariable + '%';
Assuming yourVariable is containing the string which you want to search.
EDIT:
As confirmed by OP in comments the query which worked for him/her is:
select name,gender from account where fullname='" + fullname1+ "'";
Also your query is prone to SQL Injection. So it is better to use Prepared statement.
I have a routine which returns a list of zip codes within so many miles of a particular zip code. I can call the routine and get the result list:
CALL Location.GetNearByZipCodes(28078,5);
Result Set:
28031,28070,28078,28205
I would like to do a query where it selects all records with the output from the routine as part of the where clause:
select * from Location where zipcode in (Location.GetNearByZipCodes(28078,5));
However, this does not work. Is it possible to use the results from the function as part of the where clause? If so, what is the correct syntax?
The above select query fails with:
Error Code 1305: Location.GetNearByZipCodes does not exist.
Thanks in advance for your help!
Try this:
"select * from Location where zipcode in (".Location.GetNearByZipCodes(28078,5).");"
Also make sure this function returns a string with zipcodes saperated by commas ,.
You can also call Location.GetNearByZipCodes() before the query and store the returned value in a variable and then use the variable in the query the way you're used to do it.
Hi i have trying to do a query, that receives the value on a querystring, but is not working i think the query it self is no good. could you help me?
So i receive the query on
<%String detalhe = request.getParameter("value");%>
I wont put connections and stuff, because they work with other querys, so the problem are not the connections.
// sql query to retrieve values from the specified table.
String QueryString = "SELECT * FROM ebooko.dadoslivros WHERE Autor LIKE '%"+detalhe+"%'
OR ano LIKE '%"+detalhe+"%'";;
rs = statement.executeQuery(QueryString);
It simply cannot retrive the value, i'm querying.
Adicional info:
Table: dadoslivros
Columns that i need to compare the value: Autor, ano.
for example when i run the Href the value that is passed is: Jules%Verne (i gess it changes SPACES with '%'.
Use URLDecoder#decode() to decode the parameters in the query string.
You should also consider using a PreparedStatement to prevent SQL injection attacks.
I solved it changing the query:
String QueryString = "SELECT * FROM dadoslivros WHERE (Data LIKE '%"+detalhe+"%') OR (Autor LIKE '%"+detalhe+"%')";;
maybe it can help another person ;)
I have been able to successfully insert unicode values into my database but am not able to retrieve them through a java resultset. The same query fetches data from the mysql query browser. The sql reads thus:
SELECT book_name FROM book_resource_user_view WHERE MATCH(book_name) AGAINST ('तेरा मुझसे है पेहला का नाता कोई') limit 25
Before attempting the select statement, I did this:
String query = "set names utf8";
state.executeUpdate(query);
Still no success? Any suggestions?
I seemed to have found the answer. I had modified the keyword variable using
keyword = new String(keyword.getBytes("ISO-8859-1"), "UTF-8");
After I commented that statement and used the keyword variable directly from the form, it seems to work.
I have some problem regarding the search in mysql.
Below is my query.
SELECT * FROM table WHERE name LIKE "%admin\'s%";
When i am executing this query it will return zero data.
actually i have "admin\'s" stored in db. this "\" is to prevent sql injection. i have used mysql_real_escape_string to prevent the sql injection.
but when i use three times addslashes to my variable it works.
So my below query is working.
SELECT * FROM table WHERE name LIKE "%admin\\\\\\\'s%";
My above query will return the data with name like admin's.
I am not getting where i am wrong.
well for one you shouldnt have data like this in your DB admin\'s .. most likely you double escaped your string ( check if you don't have magic_quotes enabled on your server ).
If you only do
INSERT ... username = "admin\'s";
you will have in your db the username value admin's
so my recomandation would be to go ahead and remove the slashes from your database and then your first query should work.