I have a JSP file that runs a select statement against an Oracle database.
All the examples I have seen use something like:
Statement st=connection.createStatement();
ResultSet rs=st.executeQuery("Select * from data");
while(rs.next(){
String name=rs.getString("name");
String add=rs.getString("address");
out.println(name+" "+add);
}
I will never have more than one row coming back is there an alternative to ResultSet and a while loop to get at my returning single row of data?
I have used similar kind of thing to validate user login.
String sql = "SELECT * FROM login WHERE username=? AND password=?";
try {
PreparedStatement statement;
statement = connection.prepareStatement(sql);
statement.setString(1, "hardik"); // set input parameter 1
statement.setString(2, "welcome"); // set input parameter 2
ResultSet rs = statement.executeQuery();
if(rs.next()){
// fetch data from resultset
}
}catch(SQLException sqle){
sqle.printStackTrace();
}
Related
Am I missing an error with the following to insert into a table with four columns, message_id (auto-incremented) message_sender, message_reciever, message_body. I have checked similar questions and haven't found the solution.
'''
<% String sender_id = request.getParameter("message_sender");
String reciever_id = request.getParameter("message_reciever");
String message = request.getParameter("message_body");
try{
Class.forName("com.mysql.jdbc.Driver");
Connection con = DriverManager.getConnection("jdbc:mysql://localhost:3306/fyp", "root", "Kmd116352323!");
Statement st = con.createStatement();
st.executeUpdate("INSERT INTO messages(message_sender,message_reciever,message_body) VALUES('"+sender_id+", "+reciever_id+" , "+message+" ')");
out.println("Your request has been noted."
+ " Please return to your user profile or log out");
} catch(Exception e){
out.println(e);
}
%>
You should not concatenate values into a query string. It makes your code vulnerable to SQL injection, or mistakes like forgetting quotes around values. The specific problem in your case is that you have a quote before the first value and a quote after the last value, which makes it a single value instead of three separate values.
However, instead of fixing the immediate problem by adding those missing quotes, you should switch to using a prepared statement:
try (PreparedStatement pstmt = connection.prepareStatement(
"INSERT INTO messages(message_sender,message_reciever,message_body) VALUES(?, ?, ?)") {
pstmt.setString(1, sender_id);
pstmt.setString(2, reciever_id);
pstmt.setString(3, message);
pstmt.executeUpdate();
}
As an aside, you really should not put data access in a JSP. It belongs in a DAO or service class.
This is incorrect:
VALUES('"+sender_id+", "+reciever_id+" , "+message+" ')
You have a ' wrapping the all the values... Which means sql will think you are only sending 1 value. If they are all text values it should be like this:
VALUES('"+sender_id+"', '"+reciever_id+"' , '"+message+"')
If you know some of the values are of INT type then you do not need the ' for that value:
VALUES("+sender_id+", "+reciever_id+" , '"+message+"')
Text values need to be wrapped with a '
I am trying to do create a where clause to pass as a parameter to an Oracle command and it's proving to be more difficult than I thought. What I want to do is create a big where query based off user input from our application. That where query is to be the single parameter for the statement and will have multiple AND, OR conditions in it. This code here works however isn't exactly what I require:
string conStr = "User Id=testschema;Password=pass12341;Data Source=orapdex01";
Console.WriteLine("About to connect to Database with Connection String: " + conStr);
OracleConnection con = new OracleConnection(conStr);
con.Open();
Console.WriteLine("Connected to the Database..." + Environment.NewLine + "Press enter to continue");
Console.ReadLine();
// Assume the connection is correct because it works already without the parameterization
String block = "SELECT * FROM TEMP_VIEW WHERE NAME = :1";
// set command to create anonymous PL/SQL block
OracleCommand cmd = new OracleCommand();
cmd.CommandText = block;
cmd.Connection = con;
// since execurting anonymous pl/sql blcok, setting the command type
// as text instead of stored procedure
cmd.CommandType = CommandType.Text;
// Setting Oracle Parameter
// Bind the parameter as OracleDBType.Varchar2
OracleParameter param = cmd.Parameters.Add("whereTxt", OracleDbType.Varchar2);
param.Direction = ParameterDirection.Input;
param.Value = "MY VALUE";
// Get returned values from select statement
OracleDataReader dr = cmd.ExecuteReader();
// Read the identifier for each result and display it
while (dr.Read())
{
Console.WriteLine(dr.GetValue(0));
}
Console.WriteLine("Selected successfully !");
Console.WriteLine("");
Console.WriteLine("***********************************************************");
Console.ReadKey();
If I change the lines below to be the type of result I want then I get an error "ORA-00933: SQL command not properly ended":
String block = "SELECT * FROM TEMP_VIEW :1";
...
...
param.Value = "WHERE NAME = 'MY VALUE' AND ID = 5929";
My question is how do I accomplish adding my big where query dynamically without causing this error?
Sadly there is no easy way to achieve this.
One thing you will need to understand with parameterised SQL in general is that bind parameters can only be used for values, such as strings, numbers or dates. You cannot put bits of SQL in them, such as column names or WHERE clauses.
Once the database has the SQL text, it will attempt to parse it and figure out whether it is valid, and it will do this without taking any look at the bind parameter values. It won't be able to execute the SQL without all of the values.
The SQL string SELECT * FROM TEMP_VIEW :1 can never be valid, as Oracle isn't expecting a value to immediately follow FROM TEMP_VIEW.
You will need to build up your SQL as a string and also build up the list of bind parameters at the same time. If you find that you need to add a condition on the column NAME, you add WHERE NAME = :1 to the SQL string and a parameter with name :1 and the value you wish to add. If you have a second condition to add, you append AND ID = :2 to the SQL string and a parameter with name :2.
Hopefully the following code should explain a little better:
// Initialise SQL string and parameter list.
String sql = "SELECT * FROM DUAL";
var oracleParams = new List<OracleParameter>();
// Build up SQL string and list of parameters.
// (There's only one in this somewhat simplistic example. If you have
// more than one parameter, it might be easier to start the query with
// "SELECT ... FROM some_table WHERE 1=1" and then append
// " AND some_column = :1" or similar. Don't forget to add spaces!)
sql += " WHERE DUMMY = :1";
oracleParams.Add(new OracleParameter(":1", OracleDbType.Varchar2, "X", ParameterDirection.Input));
using (var connection = new OracleConnection() { ConnectionString = "..."})
{
connection.Open();
// Create the command, setting the SQL text and the parameters.
var command = new OracleCommand(sql, connection);
command.Parameters.AddRange(oracleParams.ToArray());
using (OracleDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
// Do stuff with the data read...
}
}
}
I have created a table register in SQL with field username. In the JFrame when a user enters username there is a JButton for checking the username availability. For this I have used the code below:
String sqlstmt = "select username from register where username='" +
jTextField1.getText() + "'";
try {
st = con.prepareStatement(sqlstmt);
stmt = con.createStatement();
rs = st.executeQuery(sqlstmt);
if (rs.next()) {
JOptionPane.showMessageDialog(null,"found");
} else {
JOptionPane.showMessageDialog(null,"not found");
}
} catch(SQLException e) {
JOptionPane.showMessageDialog(null,"sql error");
}
when executing this query, it is seen that data is empty. Or if I put rs.getString("username") inside the if (rs.next), it shows the "sql error" message.
You're mixing Statements and PreparedStatements here.
The best approach here would probably be to use a PreparedStatement, which would take care of any funky characters from your input, and offer protection against SQL injection:
// SQL statement to prepare.
// Note the lack of single quotes (') in the parameter
String sqlstmt= "select username from register where username = ?";
// Prepare the statement
PreparedStatement st = con.prepareStatement(sqlstmt);
// Bind the argument
st.setString(1, jTextField1.getText());
// Execute
ResultSet rs = st.executeQuery();
// Rest of the code to handle results...
Note:
This example omits error handling (e.g., try-catch constructs) in favor of clarity.
ResultSet is empty although query should return whole table. Here is my code
try{
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
con = DriverManager.getConnection("jdbc:sqlserver://localhost","somonjon","sa");
con.setCatalog("ChatDBS");
Statement stmt = null;
String SQL = "SELECT * FROM Login_chat";
stmt = con.createStatement();
try{
System.out.println("trying execute query");
rs = stmt.executeQuery(SQL);
}
catch(SQLException ex){
ex.printStackTrace();
}
this is the error message:
trying execute query
com.microsoft.sqlserver.jdbc.SQLServerException: The result set has no current row.
P.S.
Okey guys I'm not sure is it important or not, but this codes is jButton1ActionPerformed event.
AFAIK, you are not suppose to get this exception unless you are doing some operation over ResultSet like rs.next();
Regarding the problem is concerned, there could be two scenarios
You are not pointing to right database (catalog)
You have not committed the transaction in the database.
You have to loop through rs.
String column1;
int column2;
while (rs.next()) {
column1 = rs.getString("nameColumn1");
column2 = rs.getInt("nameColumn2");
}
Ok, in
String SQL = "SELECT * FROM Login_chat";
You have to add a ";".
String SQL = "SELECT * FROM Login_chat;";
Try with that!
I was performing JDBC select query in my web service to return some values from my database. Part of this table is attached to this question. After performing following query:
SELECT * FROM uses WHERE uses_user_fk='22';
I receive only one row, but in database are two values that meet the query conditions, as you can see in attached picture. Can anyone tell me where I made a mistake. I’m using following JDBC instruction to execute the query
ResultSet tempResultSet = statement.executeQuery(query);
Bellow image of database table uses:
Below the compete method that query the database, argument query is the same as listed earlier “SELECT * FROM uses…”. I should add that the answer for that query is 4, I also try this query without using quotes (uses_user_fk=22) but the result was the same:
protected ArrayList<Integer> queryForIds(String query, String column) throws Exception {
ArrayList<Integer> ids = new ArrayList<>();
try {
Class.forName("com.mysql.jdbc.Driver");
connect = DriverManager
.getConnection(GeneralDatabaseConstants.DATABASE_CONNECTION_URL);
statement = connect.createStatement();
ResultSet tempResultSet = statement.executeQuery(query);
if (tempResultSet.next())
ids.add(new Integer(tempResultSet.getInt(column)));
} catch (Exception e) {
throw e;
} finally {
close();
}
return ids;
}
replace
if (tempResultSet.next())
with
while (tempResultSet.next())