1

It works when i try to insert variables for example :

String insertStr="INSERT INTO  table1(username1,password1) VALUES(\"john\",\"password\")";

but unable to insert using variable

String a=username.getText();
String b=password.getText();

try {
    Class.forName("com.mysql.jdbc.Driver");  
    Connection con=DriverManager.getConnection("jdbc:mysql://localhost:3306/java_db1","root","");  

    Statement stmt=con.createStatement();        
    String insertStr="INSERT INTO  table1(username1,password1) VALUES(a,b);";
    stmt.executeUpdate(insertStr);
} catch (Exception e) { }
Improve this question
1
  • String insertStr="INSERT INTO table1(username1,password1) VALUES("+strA+","+strB+");"; Commented Jan 9, 2018 at 13:48

3 Answers 3

Reset to default
3

Use [PreparedStatement][1] instead of your way, because your way can be a victim of SQL Injection or Syntax errors :

String insertStr = "INSERT INTO  table1(username1,password1) VALUES(?, ?)";
try (PreparedStatement pst = con.prepareStatement(insertStr)) {
    pst.setString(1, a);
    pst.setString(2, b);
    pst.executeUpdate();
}

For reason of security I don't suggest to get password with getText(), instead use getPassword(), so you can use :

pst.setString(1, username.getText());
pst.setString(2, new String(passwordField.getPassword()));

Take a look at this :

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

There's a small syntax error on line 2, the colon shouldn't be there on the try with resources. Thanks for the answer :)
Thank you for the comment @joshpetit, what did you mean I don't get you.
there's a *semi-colon here: try (PreparedStatement pst = con.prepareStatement(insertStr);) after insertStr.
Also this is likely a separate post, but is there a way to use the same variable for multiple fields? I.e use the same variable for both question marks in the prepared statement?
@joshpetit Yes it is unnecessary semicolon, you can edit my question to let your trace behind :) and about your question, yes you can use pst.setString(1, sameThing); pst.setString(2, sameThing);
|
0

Since you are inserting "a" and "b" as String, not their variable values.

String insertStr="INSERT INTO  table1(username1,password1) VALUES("+a+","+b+");";

should do it, but I would recommend to use a prepared statement here: https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

Improve this answer

2 Comments

You shouldn't use variable directly in a SQL String as this as this is vulnerable to DB Injection attack.
@TravisStevens That's why I recommended prepared statements...
0

The most common way to insert variable values into sql is to use the PreparedStatement Object

With this object, you can add variable values into a SQL Query without fearing of SQL injection. Here an example of PreparedStatement : 

//[Connection initialized before]
String insertStr="INSERT INTO  table1(username1,password1) VALUES(?,?);";
PreparedStatement myInsert = myConnectionVariable.prepareStatement(insertStr); // Your db will prepare this sql query
myInsert.setString(1, a); //depending on type you want to insert , you have to specify the position of your argument inserted (starting at 1)
myInsert.setString(2, b); // Here we set the 2nd '?' with your String b
myInsert.executeUpdate(); // It will returns the number of affected row (Works for UPDATE,INSERT,DELETE,etc...)
//You can use executeQuery() function of PreparedStatement for your SELECT queries

This is safer than using String concatenation like this : VALUES("+a+","+b+");

Take a look at Java Doc for more information ;)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.