0

This is my console output:

`[10, name, N, 11-11, Address, 12, City, XX, 123-123-123, 321-321-321, maaaail]
INSERT INTO CUSTOMER (CUSTOMER_ID, NAME, ZIP, ADDRESSLINE1, ADDRESSLINE2, CITY, STATE, PHONE, FAX, EMAIL) VALUES (10','name','11-11','Address','12','City','XX','123-123-123','321-321-321','maaaail)
java.sql.SQLSyntaxErrorException: Syntax error: Encountered "\',\'" at line 1, column 117.`

And this is my code:

System.out.println(Arrays.toString(dane));
sql = "INSERT INTO CUSTOMER (CUSTOMER_ID, NAME, ZIP, ADDRESSLINE1, ADDRESSLINE2, CITY, STATE, PHONE, FAX, "
        + "EMAIL) VALUES (" + dane[0] + "','" + dane[1] + "','" + dane[3] + "','" + dane[4] + "','"
        + dane[5] + "','" + dane[6] + "','" + dane[7] + "','" + dane[8] + "','" + dane[9] + "','" + dane[10] + ")";
System.out.println(sql);
Blorgbeard
  • 101,031
  • 48
  • 228
  • 272
Sheio
  • 55
  • 5
  • 8
    you are missing a quote in the end `'" + dane[10] + "')` but don't use this way Instead learn about [PreparedStatement](https://docs.oracle.com/javase/8/docs/api/java/sql/PreparedStatement.html) to avoid Syntax errors and SQL Injection – Youcef LAIDANI May 29 '18 at 18:02
  • 2
    ^^ more: http://bobby-tables.com – T.J. Crowder May 29 '18 at 18:03
  • 1
    There is also a quote missing at the beginning of the values. – Turamarth May 29 '18 at 18:03
  • 1
    Yes, this code is vulnerable to [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) - you should never use string concatenation for SQL statements (in production code) – Blorgbeard May 29 '18 at 18:04
  • You missed a lot of quotes. I suggest you use formatted string, string builder, or SQL builder to create your query. –  May 29 '18 at 18:04
  • 1
    What if any of your string values themselves contain single-quotes? Don't treat query values as *executable code*, treat them as *values*. Use prepared statements with query parameters. It's more secure, cleaner, easier to maintain, faster, and less buggy. – David May 29 '18 at 18:04
  • 1
    You're also missing a quote at the beginning `(" + dane[0] + "','" +`. And I wholeheartedly second @YCF_L's recommendation that you use statement binding rather than just appending raw values. You're wide open to an injection attack. – Ted Hopp May 29 '18 at 18:04
  • There **has** to be a canonical dupetarget for this. I used [this one](https://stackoverflow.com/questions/22897295/understanding-java-jdbc-error), but it's surely not the best one we have. There are so many... – T.J. Crowder May 29 '18 at 18:10

0 Answers0