6

How can I make an prepared statement of this one?

    Statement stmt = con.createStatement();

    long lastid = getLastId(stmt);

    // create a SQL query
    String strQuery = "INSERT INTO studenten " +
    " (id, naam, adres, postcode, plaats, geboren) " +
    " VALUES (" + (lastid+1) + "," +
        "'" + contact.getNaam() + "'," +
        "'" + contact.getAdres() + "'," +
        "'" + contact.getPostcode() + "'," +
        "'" + contact.getPlaats() + "'," +
      "{d '" + contact.getGeboren() + "'}" +
    ") ";

    stmt.executeUpdate(strQuery);      
    stmt.close();
    con.close();
Ronald Wildenberg
  • 31,634
  • 14
  • 90
  • 133
Jay
  • 85
  • 1
  • 2
  • 4

2 Answers2

14

You need to substitute values with question marks ? as placeholders.

String sql = "INSERT INTO studenten (id, naam, adres, postcode, plaats, geboren)"
     + " VALUES (?, ?, ?, ?, ?, ?)";
Connection connection = null;
PreparedStatement statement = null;

try {
    connection = database.getConnection();
    statement = connection.prepareStatement(sql);
    statement.setLong(lastId + 1); // Why don't you use an generated sequence? This is plain ugly and errorprone.
    statement.setString(contact.getNaam());
    statement.setString(contact.getAdres());
    statement.setString(contact.getPostcode());
    statement.setString(contact.getPlaats());
    statement.setDate(new java.sql.Date(contact.getGeboren().getTime())); // Assuming it returns java.util.Date
    statement.executeUpdate();
} finally {
    // Always close in finally to prevent resource leaks.
    if (statement != null) try { statement.close(); } catch (SQLException ignore) {}
    if (connection != null) try { connection.close(); } catch (SQLException ignore) {}
}

See also:

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • thanks!the lastID thingy is just part of the source I needed to edit, not sure why they use – Jay Sep 13 '10 at 13:25
1

Here is a better way to do it:

String sql = "INSERT INTO studenten (id, naam, adres, postcode, plaats, geboren)"
     + " VALUES (?, ?, ?, ?, ?, ?)"

try {
    connection = database.getConnection();
    statement = connection.prepareStatement(sql);
    statement.setLong(1,your_id_value);
    statement.setString(2,contact.getNaam());
    statement.setString(3,contact.getAdres());
    statement.setString(5,contact.getPlaats());  // order doesn't matter now you can give the index of the parameter
    statement.setString(4,contact.getPostcode());
    statement.setDate(6,getGeboren());
    statement.executeUpdate();

    // or System.out.println(statement.executeUpated())  to see how many row are effected by this query
    statement.close();
} catch(java.sql.Exception sql_exception ){
    //you can see what goes wrong here with your statement 
    e.printStackTrace();
}
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Charif DZ
  • 14,415
  • 3
  • 21
  • 40