0

I want to insert a data using JDBC, whenever I execute the program then it shows me some Mysql error:

Insert statement: 

String sql = "INSERT into books(name, isbn, author, category, desc, published) VALUES('"+name+"','"+isbn+"','"+author+"','"+category+"', '"+desc+"','"+book_published+"')";

I am trying to convert the string to date here using : 

String yr = year.getSelectedItem().toString();
String mn = month.getSelectedItem().toString();
String dy = day.getSelectedItem().toString();
String book_date = yr+"-"+mn+"-"+dy;
DateFormat df = new SimpleDateFormat("yyyy-MM-dd",
                                            Locale.ENGLISH);
try{
Date book_published = df.parse(book_date);
}catch(...){...}

and it shows me error like :

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc, published) VALUES('skd flakj','klsdjf askj','kl jasdklfj kl','kls djfklj f' at line 1
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

Please help me figure out what is the problem here.

Improve this question
2
  • Does one of your values have a stray single quote? You would avoid a whole lot of trouble by using parameter binding instead of concatenating the values directly in your SQL string. Commented Dec 14, 2015 at 3:16
  • 3
    Using Prepared Statements Commented Dec 14, 2015 at 3:20

3 Answers 3

Reset to default
3

Your code is prone to SQL injection attacks due to use of normal query statements. To secure your query use preparedstatement.

As per your query issue, DESC is a reserved word. So you can't use it as column name.View this for complete list of reserved words.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

desc is a reserved word for MySQL, which means u can just use it plainly.

To use it without getting an error from MySQL, u should use ` surround the reserved word.

Ps: u SQL statement may suffer from SQL injection if using user-inputed parameters, attackers can use it to get control of ur system.Maybe u should try to hv a look on this one.

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Improve this answer

Comments

0

desc is not a particularly good column name because it's a reserved word in MySQL. I'm not sure if this is the only issue here but you may want to try surrounding desc with ticks, like so:

String sql = "INSERT into books(`name`, `isbn`, `author`, `category`, `desc`, `published`) VALUES('"+name+"','"+isbn+"','"+author+"','"+category+"', '"+desc+"','"+book_published+"')";

It's good practice anyway.

Edit: and as others have mentioned, prepared statements are safer when saving untrusted input to a database.

Improve this answer

1 Comment

thanx @josh i got it :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.