9

Hi i am trying to insert the values in to mysql table. i am trying this code. i have assigned values to variable and i want to pass that variable to that insert statement. Is this correct?

code
    int tspent = "1";
    String pid = "trng";
    String tid = "2.3.4";
    String rid = "tup";
    String des = " polish my shoes!";

    INSERT INTO `time_entry`(pid,tid,rid,tspend,description) VALUE ('"+pid+"','"+tid+"','"+rid+"',"+tspent+",'"+des+"');

here is what i have tried, but i am not able to insert values

try
       {
           conn=DBMgr.openConnection();     
           String sqlQuery = "INSERT INTO `time_entry`(pid,tid,rid,tspend,description) VALUE ('"+pid+"','"+tid+"','"+rid+"',"+tspent+",'"+des+"');";
           st = conn.createStatement();
           rs = st.executeQuery(sqlQuery); 
       }
Improve this question
4
  • "Java execute SQL" returns a huge number of hits :) Commented Jun 20, 2013 at 6:57
  • did u got any exception Commented Jun 20, 2013 at 6:58
  • @Sam... It's pretty obvious that this code is not even going to compile. Commented Jun 20, 2013 at 6:58
  • change executeQuery to executeUpdate Commented Jun 20, 2013 at 7:05

4 Answers 4

Reset to default
21

You should use executeUpdate() method whenever your query is an SQL Data Manipulation Language statement. Also, your current query is vulnerable to SQL Injection.

You should use PreparedStatement:

PreparedStatement pstmt = conn.prepareStatement("INSERT INTO `time_entry`(pid,tid,rid,tspend,description) VALUES (?, ?, ?, ?, ?)");\

Then set the variables at those index:

pstmt.setString(1, pid);
// Similarly for the remaining 4 

// And then do an executeUpdate
pstmt.executeUpdate();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

17

Try this,

    String driver="com.mysql.jdbc.Driver";
    String url="jdbc:mysql://localhost:3306/dbname";
    String uname="username";
    String pass="password";
    Class.forName(driver);
    Connection c=(Connection) DriverManager.getConnection(url,uname,pass);
    Statement s=c.createStatement();
    s.executeUpdate("INSERT INTO `time_entry`(pid,tid,rid,tspend,description) VALUE ('"+pid+"','"+tid+"','"+rid+"',"+tspent+",'"+des+"')");
Improve this answer

2 Comments

you take all string. Is it workable for integer datatype variable?
Do not use ('"+pid+"','"+tid+"','"+rid+"',"+tspent+",'"+des+"'), it is an open door for SQL Injection
10

Use a PreparedStatement and set the values using its setXXX() methods.

PreparedStatement pstmt = con.prepareStatement("INSERT INTO `time_entry`
        (pid,tid,rid,tspend,description) VALUE 
        (?,?,?,?,?)");
pstmt.setString(1, pid );
pstmt.setString(2, tid);
pstmt.setString(3, rid);
pstmt.setInt(4, tspent);
pstmt.setString(5,des );
pstmt.executeUpdate();
Improve this answer

Comments

0 
import java.sql.*;  
class Adbs1{  
public static void main(String args[]){  
try{  
Class.forName("com.mysql.jdbc.Driver");  
Connection con=DriverManager.getConnection(  
"jdbc:mysql://localhost:3306/rk","root","@dmin");  
//here rk is database name, root is username and password  
Statement stmt=con.createStatement();  

stmt.executeUpdate("insert into emp values('rk11','Irfan')");
 // stmt.executeUpdate("delete from  emp where eid ='rk4'");
//stmt.executeUpdate("update emp set ename='sallu bhai' where eid='rk5'");

 ResultSet rs=stmt.executeQuery("select * from emp");  
   while(rs.next())  
    System.out.println(rs.getString(1)+"  "+rs.getString(2));  

con.close();  
      }catch(Exception e){ System.out.println(e);}  
    }  
}
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.