Home/ Questions/Q 7965383
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T06:08:25+00:00

I have problems running this sql statement. It works fine if I run it

  • 0

I have problems running this sql statement. It works fine if I run it in mysql but in java I get this error: 

You have an error in your SQL syntax; check the manual that corresponds 
  to your MySQL server version for the right syntax to use near '' at line 1

The database has an id(pk) autogenerated, varchar, int, varchar;

Can someone help me? 

int i = statement.executeUpdate("INSERT INTO sala values('','"+ nume.getText() + "', "+ Integer.parseInt(capacitate.getText())+ ", '" + sunet.getText()+"'");
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Don’t just try to fix this code by tweaking the SQL as per adarshr’s answer. You have a fundamental security problem here which you should fix right now. You’re open to SQL injection attacks due to including user data directly in your SQL.

    You should use a PreparedStatement, with the parameters declared as placeholders in the SQL, but then given values separately. Exactly how you’ll do that will depend on your JDBC provider, but it’ll look something like this:

    // TODO: Fix the column names, and close the statement in a try/finally block
PreparedStatement pst = conn.prepareStatement(
    "INSERT INTO sala (nume, capacitate, sunet) VALUES (?, ?, ?)");
pst.setString(1, nume.getText());
pst.setInt(2, Integer.parseInt(capacitate.getText()));
pst.setString(3, sunet.getText());
pst.executeUpdate();

    Note that if you can get capacite in a way which doesn’t require integer parsing, that would be good. Otherwise, consider using NumberFormat which is more locale-friendly. Also note that I’ve added the column names into the SQL to make this more robust in the face of schema changes.

    • 0