sql INSERT using variables
Fred Hamilton
Ranch Hand
Posts: 684
posted 8 years ago
OK, I'm getting my feet wet with JDBC, and things are going well, with one or two exceptions. such as...
http://java.sun.com/products/jdbc/reference/codesamples/index.html#1
This link provides a downloadable zip file which contains many examples of java sql code. For some reason which is not yet clear to me, Sun has seen fit to make every last example of the INSERT statement work with values that are hard coded into the program.
I have poked around on the net looking for sample code, and just about every clear cut example I found has also worked with values that are hard coded into the program. ( via some kind of statement string );
I suppose this experience should tell me something. Anyways, If anyone can point me to some sample code where the INSERT statement uses variables instead of hard coded values, I would be most grateful.
It should be a no-brainer to make the transition from hard coded values to variables, but being a guy who learns well by example, I'd still like to see one.
regards.
http://java.sun.com/products/jdbc/reference/codesamples/index.html#1
This link provides a downloadable zip file which contains many examples of java sql code. For some reason which is not yet clear to me, Sun has seen fit to make every last example of the INSERT statement work with values that are hard coded into the program.
I have poked around on the net looking for sample code, and just about every clear cut example I found has also worked with values that are hard coded into the program. ( via some kind of statement string );
I suppose this experience should tell me something. Anyways, If anyone can point me to some sample code where the INSERT statement uses variables instead of hard coded values, I would be most grateful.
It should be a no-brainer to make the transition from hard coded values to variables, but being a guy who learns well by example, I'd still like to see one.
regards.
posted 8 years ago
Fred,
I think what it tells you is that the examples are old.
New code should use PreparedStatements (with variables) rather than Statements (with hard coding) unless there is a really good reason not to. Hard coding is vulnerable to SQL injection where a hacker can run malicious code against the database. PreparedStatements protect you against this.
The JDBC tutorial has an example.
I think what it tells you is that the examples are old.
New code should use PreparedStatements (with variables) rather than Statements (with hard coding) unless there is a really good reason not to. Hard coding is vulnerable to SQL injection where a hacker can run malicious code against the database. PreparedStatements protect you against this.
The JDBC tutorial has an example.
[OCA 8 book] [OCP 8 book] [Practice tests book] [Blog] [JavaRanch FAQ] [How To Ask Questions] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Fred Hamilton
Ranch Hand
Posts: 684
posted 8 years ago
Well, I looked through that page with a fine tooth comb, and every other page in the Sun Tutorial on JDBC, and didn't find an insert that used variables. But thanks anyways.
Actually, I'm not sure why I had a problem before, Something like the following should work, though I haven't had a chance to try yet.
instead of
String insertStr = "INSERT INTO users VALUES ('Hamilton', 'fred@abc.com');
the following should work, assuming I haven't made any syntax errors. Seems a strange way to have to do things though.
Anyways, this'll have to do until/unless I find something better.
Jeanne Boyarsky wrote:Fred,
I think what it tells you is that the examples are old.
New code should use PreparedStatements (with variables) rather than Statements (with hard coding) unless there is a really good reason not to. Hard coding is vulnerable to SQL injection where a hacker can run malicious code against the database. PreparedStatements protect you against this.
The JDBC tutorial has an example.
Well, I looked through that page with a fine tooth comb, and every other page in the Sun Tutorial on JDBC, and didn't find an insert that used variables. But thanks anyways.
Actually, I'm not sure why I had a problem before, Something like the following should work, though I haven't had a chance to try yet.
instead of
String insertStr = "INSERT INTO users VALUES ('Hamilton', 'fred@abc.com');
the following should work, assuming I haven't made any syntax errors. Seems a strange way to have to do things though.
Anyways, this'll have to do until/unless I find something better.
James Gregory
Greenhorn
Posts: 2
posted 8 years ago
From the link already given, one example is:
PreparedStatement updateSales = con.prepareStatement(
"UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? ");
updateSales.setInt(1, 75);
updateSales.setString(2, "Colombian");
updateSales.executeUpdate():
Your solution using string concatenation may be vulnerable to SQL injection, depending on where it gets used.
PreparedStatement updateSales = con.prepareStatement(
"UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? ");
updateSales.setInt(1, 75);
updateSales.setString(2, "Colombian");
updateSales.executeUpdate():
Your solution using string concatenation may be vulnerable to SQL injection, depending on where it gets used.
Fred Hamilton
Ranch Hand
Posts: 684
posted 8 years ago
Duly noted Paul and James. I'm just playing around at home, but definitely I want to learn about secure practices. I'll take a closer look at that tutorial page. It seems to make sense but right now it's not clear, but I'm sure it will become so with more effort.
I had planned on using my concatenated insertStr as follows...
Connection con = DriverManager.getConnection(url+dbName,userName,password);
Statement stmt = con.createStatement();
stmt.executeUpdate( insertStr );
anyways, this all works well enough, but if their are security concerns I guess I'll have to come up with something better, especially if this all makes the transition off of my home PC.
James Gregory wrote:From the link already given, one example is:
PreparedStatement updateSales = con.prepareStatement(
"UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? ");
updateSales.setInt(1, 75);
updateSales.setString(2, "Colombian");
updateSales.executeUpdate():
Your solution using string concatenation may be vulnerable to SQL injection, depending on where it gets used.
Duly noted Paul and James. I'm just playing around at home, but definitely I want to learn about secure practices. I'll take a closer look at that tutorial page. It seems to make sense but right now it's not clear, but I'm sure it will become so with more effort.
I had planned on using my concatenated insertStr as follows...
Connection con = DriverManager.getConnection(url+dbName,userName,password);
Statement stmt = con.createStatement();
stmt.executeUpdate( insertStr );
anyways, this all works well enough, but if their are security concerns I guess I'll have to come up with something better, especially if this all makes the transition off of my home PC.
| With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime. |