Home/ Questions/Q 8846443
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T11:59:10+00:00

I have two issues, but I am only working on correcting one currently. In

  • 0

I have two issues, but I am only working on correcting one currently. In my program on line 331, when I execute it I get the error (catch statement) that there is an error with the SQL statement. It is identical to the others (that I see) and I am not seeing the error. Here is a snippet of the section that gives an error. I should just be able to update mysql database, just as the other sections do, this one errors. Where should I look? Something did not post correctly, I am looking at that too, sorry. 

    //String st = "DELETE FROM student WHERE Description = 'Michael'";
    // String st = “UPDATE student SET Description = + ‘Michael’ WHERE studentID = ‘123’”;
    String studentID;
    String firstName;
    String lastName;
    double gpa;
    String status;
    String mentor;
    String level;
    String thesisTitle;
    String thesisAdvisor;
    String company;

    Scanner in = new Scanner(System.in);

    // print statements to match the database input 

    System.out.println("Now let's update a record");
    System.out.println("Please enter the student ID of the record you want to update >");
    studentID = in.next();
    System.out.println("Please enter the new First Name >");
    firstName = in.next();
    System.out.println("Please enter the new Last Name >");
    lastName = in.next();
    System.out.println("Please enter the new GPA[X.XX] >");
    gpa = in.nextDouble();
    System.out.println("Please enter the new Status [Active or Inactive] >");
    status = in.next();
    System.out.println("Please enter the new mentor >");
    mentor = in.next();
    System.out.println("Please enter the new level >");
    level = in.next();
    System.out.println("Please enter the new thesis Title >");
    thesisTitle = in.next();
    System.out.println("Please enter the new thesis Advisor's name >");
    thesisAdvisor = in.next();
    System.out.println("Please enter the new Company Name >");
    company = in.next();




//      stmt.executeUpdate("Update student Set studentID='" + studentID + "', firstName='" + firstName + "', lastName='" + lastName + "', gpa=" + gpa + "', status='" + status + "', mentor='" + mentor  + "', level='" + level + "', theseisTitle='" + thesisTitle + "', thesisAdvisor='" + thesisAdvisor + "', company='" + company + "WHERE studentID = '" + studentID + " '");





    stmt.executeUpdate("Update student Set studentID='" + studentID + "',firstName'" + firstName + "', lastName='" + lastName + "', gpa=" + gpa + "', status='" + status + "', mentor='" + mentor  + "', level='" + level + "', theseisTitle='" + thesisTitle + "', thesisAdvisor='" + thesisAdvisor + "', company='" + company + "WHERE studentID = '" + studentID + " '");

    // Close the statement and the connection

    stmt.close();
    conn.close();

} catch (Exception e) {
    System.err.println("ERROR: Either cannot connect to the DB " + " or error with the SQL statement");
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    one problem with your query is that it produces syntax error on the firstname

    stmt.executeUpdate("Update student 
                    Set studentID='" + studentID + "',
                        firstName'" + firstName + "',                                          
                                 ^ here

    Another is, it is vulnerable with SQL injection. Please do parameterized your query, use PreparedStatement, example

    String updateQuery = ""
        + "UPDATE student "
        + "SET    firstname = ?, "
        + "       lastname = ?, "
        + "       gpa = ?, "
        + "       status = ?, "
        + "       mentor = ?, "
        + "       level = ?, "
        + "       theseistitle = ?, "
        + "       thesisadvisor = ?, "
        + "       company = ? "
        + "WHERE  studentid = ? ";

PreparedStatement pstmt = con.prepareStatement(updateQuery);
pstmt.setString(1,firstName)
pstmt.setString(2,lastName)
pstmt.setInt(3,gpa)
pstmt.setString(4,status)
pstmt.setString(5,mentor)
pstmt.setString(6,level)
pstmt.setString(7,thesisTitle)
pstmt.setString(8,thesisAdvisor)
pstmt.setString(9,company)
pstmt.setString(10,studentID)

    Why do we use PreparedStatement?

    • to protect against SQL Injection
    • to protect against SQL Injection
    • to make the code more readable especially when you have large query

    SOURCE

    • 0