0

Would you be that kind and tell me whats wrong in here? conn is DriverManager.getConnection(DB_URL)

        try {
            PreparedStatement prepStmt = conn.prepareStatement(
                    "UPDATE week SET ?=? WHERE id>=? AND id<=?");
            prepStmt.setString(1, s);
            prepStmt.setFloat(2, x);
            prepStmt.setInt(3, c);
            prepStmt.setInt(4, d);
            prepStmt.executeUpdate();
        } catch(SQLException e) {
            System.err.println("Error during data update");
            e.printStackTrace();
        }

Error is in first line of "try" and it goes like "SQL error or missing database (near "?": syntax error)". I have to add that when I put this statement in cmd with "?" substituted with values it works as charm.

Improve this question
1
  • use PreparedStatement prepStmt = conn.prepareStatement( "UPDATE week SET "+s+"=? WHERE id>=? AND id<=?"); Commented Nov 20, 2014 at 13:52

4 Answers 4

Reset to default
2

You can't pass column names as parameters to the prepared statement. You can only pass values as parameters :

    try {
        PreparedStatement prepStmt = conn.prepareStatement(
                "UPDATE week SET some_column_name=? WHERE id>=? AND id<=?");
        prepStmt.setFloat(1, x);
        prepStmt.setInt(2, c);
        prepStmt.setInt(3, d);
        prepStmt.executeUpdate();
    } catch(SQLException e) {
        System.err.println("Error during data update");
        e.printStackTrace();
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You cannot pass a column name to the PreparedStatement. What you could do to overcome this is change it in the string.

try {
    PreparedStatement prepStmt = conn.prepareStatement(
    "UPDATE week SET " + s + " =? WHERE id>=? AND id<=?");
    prepStmt.setFloat(1, x);
    prepStmt.setInt(2, c);
    prepStmt.setInt(3, d);
    prepStmt.executeUpdate();
} catch(SQLException e) {
    System.err.println("Error during data update");
    e.printStackTrace();
}
Improve this answer

3 Comments

Ok but can't i just do it like this: 'String stmt="UPDATE week SET "+s+" = "+String.valueOf(x)+" WHERE id>= "+String.valueOf(c)+" AND id<="+String.valueOf(d);'
or even better: 'String stmt="UPDATE week SET "+s+" = "+x+" WHERE id>= "+c+" AND id<= "+d;'?
You can do it, but it is a good practice to pass parameters, it helps preventing SQL Injection (not quite sure... someone correct me if I'm wrong, please). Also, looking at the code I've posted, building the string this way may be a potential security flaw. Try doing it statically, using a flag to define the column name. E.g if (foo_flag) s= "column_1" (...)
0

You should not do ? = ? you should specify the field id = ?...or whatever field you want there.

PreparedStatement prepStmt = conn.prepareStatement(
                    "UPDATE week SET columnName=? WHERE id>=? AND id<=?");
Improve this answer

Comments

0

As it was mentioned you can not pass column names or sql syntax to the PreparedStatement. however you can use String.format() to pass anything to your sql:

try {
                String sql = "UPDATE week SET %s=? WHERE id>=? AND id<=?";
                sql = String.format(sql , "s")
                PreparedStatement prepStmt = conn.prepareStatement(sql);
                prepStmt.setFloat(1, x);
                prepStmt.setInt(2, c);
                prepStmt.setInt(3, d);
                prepStmt.executeUpdate();
            } catch(SQLException e) {
                System.err.println("Error during data update");
                e.printStackTrace();
            }

sa you can see ? = ? is replaced with %s = ? and later the column name was replaced with String.format and later the String was passed to the PreparedStatement. however this should not be used pass data because it defies the purpose of PreparedStatements.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.