0

I'm currently working on an update statement for java. After you click the button it will get the integer data you put into the textfield and it will read the name from the dropdown and give the corresponding employee ID. Database connection is done via a different class.

    ActionListener myActionListener = new ActionListener() {
        public void actionPerformed(ActionEvent ae) {
            DatabaseConnection connection = new DatabaseConnection();
            if (connection.openConnection()) {
                String ID = input1.getText();
                int orderID = Integer.parseInt(ID);

                String firstName = (String) cb.getSelectedItem();
                System.out.println(firstName);
                System.out.println(orderID);
                if (firstName == "Patrick") {
                    int employeeId = 10;
                    String sql = "UPDATE barorder SET statusId=2, employeeId='" + employeeId + "' where id='" + orderID + "' ;";
                }

            }
        }
    };

This is what I got so far but I don't know how to execute the SQL String now. Any suggestions?

Improve this question
1
  • Your current query is unsafe because it is open to SQL injection. I suggest you follow the JDBC tutorial, and learn how to use prepared statements. Commented Jun 13, 2016 at 13:54

2 Answers 2

Reset to default
3

You can use PreparedStatement to update query like this:

  ActionListener myActionListener = new ActionListener()
    {
        public void actionPerformed(ActionEvent ae)
        {
            DatabaseConnection connection = new DatabaseConnection();
            PreparedStatement preparedStatement = null;
            if (connection.openConnection())
            {
                String ID = input1.getText();
                int orderID = Integer.parseInt(ID);

                String firstName = (String) cb.getSelectedItem();
                System.out.println(firstName);
                System.out.println(orderID);
                if (firstName == "Patrick")
                {
                    int employeeId = 10;

                    String sql = "UPDATE barorder SET statusId=2, employeeId= ? where id= ?";
                    preparedStatement = connection.prepareStatement(sql);
                    preparedStatement.setInt(1, employeeId);
                    preparedStatement.setInt(2, orderID);
                    preparedStatement.executeUpdate(sql);

                }

            }
        }
    };
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Your answer is unsafe as it includes SQL injection. Consider posting an answer that includes a safe equivalent using a prepared statement.
Have updated my answer. Thank you so much for your valuable comment.
Your update is wrong as it doesn't use parameters to solve the sql injection problem, and on top of that using execute update(String) on a prepared statement must always fail according to the JDBC specification (in MySQL it will probably work for this specific example.
use ? to define the variables and add them with preparedstatement.setString(1,value)
0

By using PreparedStatement you may solve your problem.

In my own project i have used this

        PreparedStatement prep = conn.prepareStatement("INSERT INTO Signup(Username, password, Email) VALUES(?, ?, ?)");
        prep.setString(1, UserName);
        prep.setString(2, Password);
        prep.setString(3, Email);

        prep.executeUpdate();

And you can get help form the link: http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

Improve this answer

2 Comments

Both statements are imortant for this.
As: PreparedStatement prep .. and it's call prep.setString...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.