1

My java program collects a file path from a text field:

pathField.getText();

And inserts the results to my database (phpMyAdmin). However, it doesn't seem to include the backslashes(). EG - C:UsersSteveDesktop

The FilePath field in the database is set to "Text". I have tested the pathField.getText() in a System.out statement, and it prints with the backslashes.

Statement st = (Statement) conn.createStatement();

            String query_to_update = "INSERT INTO `evidence_db`.`mcases` ("
                    + "`PID`,"
                    + " `FilePath`) "
                    + "VALUES ("
                    + "DEFAULT,"
                    + " '" + pathField.getText() + "');";

            System.out.println("Query: " + query_to_update);

            int val = st.executeUpdate(query_to_update);

Please note that I have edited the above code, so there might be minor errors.

Improve this question
11
  • are you using preparedStatement? a part of your code will help Commented Dec 14, 2012 at 16:51
  • My SQL statement in Java is a string. Which is then sent via : st.executeUpdate(query); Commented Dec 14, 2012 at 16:54
  • can you post your code here? Commented Dec 14, 2012 at 16:55
  • BTW / is a forward slash. You may have to escape those before inserting them into MySQL. Backslashes do for sure, not as sure with forward slashes. Either way you would escape the slash with a backslash `\` Commented Dec 14, 2012 at 16:58
  • If you use Prepared Statements, they might handle the escaping for you. Commented Dec 14, 2012 at 17:00

1 Answer 1

Reset to default
3

you should use prepared statement to avoid this kind of errors

public static void main(String args[]) {

  Connection con = null;
  PreparedStatement pst = null;
  ResultSet rs = null;

  try {

  Class.forName(driver);
  con = DriverManager.getConnection(connection);

  String sql =
  "select * from Employees where FirstName " + "in(?,?,?)";
  pst = con.prepareStatement(sql);

  pst.setString(1, "komal");
  pst.setString(2, "ajay");
  pst.setString(3, "santosh");

  rs = pst.executeQuery();
  System.out.println("EmployeeID\tFirstName");
  while (rs.next()) {
  System.out.print("  "+rs.getString(1));
  System.out.print("\t\t"+rs.getString(2));
  System.out.println("\t\t"+rs.getString(3));
  }

  } catch (Exception e) {
  System.out.println(e);
  }
  }
}

so in your case

String query_to_update = "INSERT INTO `evidence_db`.`mcases` ("
                    + "`PID`,"
                    + " `FilePath`) "
                    + "VALUES (?,?);";

PreparedStatement pst=coneection.prepareStatement(query_to_update);
pst.setString(1,"DEFAULT");
pst.setString(2,pathField.getText());
pst.executeUpdate();
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Just to clarify, does the setString method set the amount of characters allowed to be inserted into that field - Thus stopping sql injection?
No it won't, you will get limit exceeded error for that field if the number of characters set using setString method are exceeded than the size of that field
@StevenMclaren : agreed with abu, the error will be generated by you mysql offcourse
@BhavikShah - Do the values need to be entered twice? One in query_to_update (?,?), and once again to .setString?
@StevenMclaren : no the ?'s should stay as it is
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.