SQL parameter issue Jdbc

Question

I am taking input from user and storing in two different variables. I am binding the parameters with my sql statement. When i run the code its giving issue on concatenating part of query.

String CityA= null;
String CityB= null;
try {
   CityA = readEntry(in, "Enter Origin City : ");
   CityB = readEntry(in, "Enter Destination City : ");

   // We treat this drop table specially to allow it to fail
   // as it will the very first time we run this program

  try {
  String q = "SELECT f.FLNO,f.DISTANCE,TIMEDIFF(f.arrives,f.departs) 
              as Duration FROM FLIGHTS F"
              + " WHERE F.ORIGIN = "+CityA;
              + "AND f.DESTINATION = "+CityB;

  System.out.println(q);
  rset = stmt.executeQuery(q);
  while (rset.next()) {
     System.out.println(rset.getInt("FLNO") + "," 
     + rset.getInt("Distance") + "," 
     + rset.getTime("Duration"));
  }
  System.out.println("Done");
  }
  catch (SQLException e) {
  // assume not there yet, so OK to continue
}        
finally {
        stmt.close(); 
}

`+CityA;` ? this completes a statement. You must review the entire code syntactically first. — Shreyas, Apr 28 '19 at 07:07
you code does not compile. And NEVER EVER get rid of exception, i'm pretty sure a simple `e.printStackTrace()` will give you the answer... — Alexandre Cartapanis, Apr 28 '19 at 08:30
Possible duplicate of [How does Java's PreparedStatement work?](https://stackoverflow.com/questions/419021/how-does-javas-preparedstatement-work) — Progman, Apr 28 '19 at 10:26
_"When i run the code its giving issue"_ please provide a more explicit and full description if your problems. And never ever use empty catch blocks. Your _"// assume not there yet, so OK to continue_" is an incorrect assumption. And you should never concatenate values into a query string, it is unsafe and prone to errors. Please learn about prepared statements and parameters. — Mark Rotteveel, Apr 28 '19 at 10:36

score 1 · Accepted Answer · answered Apr 28 '19 at 07:25

1

Please find the code for query:- Basically you missed the space between the CityA and AND

String q = "SELECT f.FLNO,f.DISTANCE,TIMEDIFF(f.arrives,f.departs) as Duration FROM FLIGHTS F"
                + " WHERE F.ORIGIN = '"+CityA+"' ";
                + "AND f.DESTINATION = '"+CityB+"'";

answered Apr 28 '19 at 07:25

Hasnain Ali Bohra

2,130
2
11
25

1

Although this may solve the immediate problem, it is unsafe as it is vulnerable to SQL injection. – Mark Rotteveel Apr 28 '19 at 10:38

score 0 · Answer 2 · answered Apr 28 '19 at 07:02

0

There is a typo in your query string - you missed the space between 'Los-Angeles' and AND.

answered Apr 28 '19 at 07:02

Piotr S

137
3

no it's not the issue. issue is in query part where i am binding paramters city A and B with sql – hassan Apr 28 '19 at 07:05
More than this, you should surround the string with ``` char – Alexandre Cartapanis Apr 28 '19 at 08:31
1

Although this may solve the immediate problem, it is unsafe as it is vulnerable to SQL injection. – Mark Rotteveel Apr 28 '19 at 10:38

SQL parameter issue Jdbc

2 Answers2