2

I get following Error, but I can not understand why:

org.springframework.jdbc.BadSqlGrammarException: PreparedStatementCallback; bad SQL grammar [UPDATE da_tracking SET ins_name= xyz, ins_dev_scripted = False WHERE ins_ID = 12]; nested exception is java.sql.SQLException: Invalid parameter index 1.

------------------------ dao class-----
public int save(DboBean record) {
        // TODO Auto-generated method stub
        String sql = "UPDATE da_tracking"
                    + " SET ins_name= " + record.getDboDevName()+ "," 
                    + " ins_dev_scripted = " + record.getDevScripted()
                    + " WHERE ins_ID = " + record.getDboId();
        Object[] params = new Object[] {record.getDboDevName(), record.getDevScripted()};
        int[] types = new int[]{Types.VARCHAR, Types.BIT};
        return jdbcTemplate.update(sql, params, types);
    }
----------------------------Junit-----
bean.setDboDevName("xyz");
bean.setDboId(12);
int rowsAffected =  objDao.save(bean);

    System.out.println("Object is updated [" + bean.getDboId() + ", " + bean.getDboDevName() + 
            ", " + bean.getDevScripted() + "]");

Do you know why?? My delete & read Methods work.

Improve this question
0

2 Answers 2

Reset to default
4

The error you are seeing is because you are passing variables in to the params and types arrays, but you haven't put placeholders for those bind variables in your queries:

String sql = "UPDATE da_tracking"
            + " SET ins_name= ?," 
            + " ins_dev_scripted = ?"
            + " WHERE ins_ID = ?"
Object[] params = new Object[] {record.getDboDevName(), record.getDevScripted(), record.getDboId()};
int[] types = new int[]{Types.VARCHAR, Types.BIT, Types.INTEGER};
return jdbcTemplate.update(sql, params, types);

Internally, Spring is doing something like this:

PreparedStatement stmt = conn.prepareStatement("...your sql...");
stmt.setString(1, dboDevName); // this will fail, since there is no bind variable
                               // with index 1
...

You should NEVER build SQL queries by concatenating external data. In the best case, it will result in queries that will randomly fail if someone puts a strange quote or escape character in the data, and in the worst case, a major security hole which will compromise your system.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1 
public int save(DboBean record) {

        String sql = "UPDATE da_tracking"
                    + " SET ins_name= ?"+"," 
                    + " ins_dev_scripted = ?" 
                    + " WHERE ins_ID = ?";
        Object[] params = new Object[] {record.getDboDevName(), record.getDevScripted(), record.getDboId()};
        int[] types = new int[]{Types.VARCHAR, Types.BIT, Types.INTEGER}; // Change 3rd parameter type here
        return jdbcTemplate.update(sql, params, types);
    }

----------------------------Junit-----
bean.setDboDevName("xyz");
bean.setDboId(12);
int rowsAffected =  objDao.save(bean);

    System.out.println("Object is updated [" + bean.getDboId() + ", " + bean.getDboDevName() + 
            ", " + bean.getDevScripted() + "]");

Does this work?

Improve this answer

1 Comment

You are correct that bind variables (paramaterized queries) should be used, but that's not the source of this error. You are right that the variable (probably only ins_name) needs to be quoted, but the SQL parser hasn't gotten that far into parsing the query yet.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.