SQL syntax error: "com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax;"

Question

Trying to establish a JDBC connection in an android studio app, and I am getting the following error:

2020-07-06 13:16:55.229 12576-12664/com.example.mmi W/System.err: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and USER PASSWORD=' at line 1
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at java.lang.reflect.Constructor.newInstance0(Native Method)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at java.lang.reflect.Constructor.newInstance(Constructor.java:343)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.Util.handleNewInstance(Util.java:425)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.Util.getInstance(Util.java:408)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:944)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3976)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3912)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2530)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2683)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2482)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2440)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.mysql.jdbc.StatementImpl.executeQuery(StatementImpl.java:1381)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.example.mmi.MainActivity$MyTask.doInBackground(MainActivity.java:69)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at com.example.mmi.MainActivity$MyTask.doInBackground(MainActivity.java:48)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at android.os.AsyncTask$3.call(AsyncTask.java:378)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at java.util.concurrent.FutureTask.run(FutureTask.java:266)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:289)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
2020-07-06 13:16:55.230 12576-12664/com.example.mmi W/System.err:     at java.lang.Thread.run(Thread.java:919)

Here is my code:

Connection con = DBUtility.connect();
Statement st = con.createStatement();
ResultSet rs = st.executeQuery("SELECT * FROM mmi_userinfo where USERNAME='"+ user + "' and USER PASSWORD='" + pass + "'");

Here is the DBUtility class code:

public class DBUtility
{
    public static Connection connect() throws ClassNotFoundException, SQLException {
        Connection con;

        //Class.forName("com.mysql.cj.jdbc.Driver");
        con = DriverManager.getConnection("jdbc:mysql://192.168.1.235:3306/mmi?useSSL=false","loginuser","loginpass");

        return con;
    }
}

The syntax error message has an important part: near ..., where the ... shows the part of the sql statement where the error occured. That also gives us a clue as to what may have gone wrong — Shadow, Jul 06 '20 at 18:34
Are you going to have your application connect to a database directly? — stdunbar, Jul 06 '20 at 18:39
I've added the full error above. I am connecting directly to the database via JDBC, I understand this is not best practice, however, this is just for a student project and there is no security concern. — Mike, Jul 06 '20 at 18:59

Teetrinker · Accepted Answer · 2020-07-06T18:38:39.203

1

... and USER PASSWORD='" + pass + "'" ...

USER PASSWORD is not a valid expression here. You have to enclose it in backticks if this is the real column name.

... and `USER PASSWORD`=...

But it doesn't seem a good practice to have spaces in column names. I suggest renaming it to USER_PASSWORD.

Btw. your code is open for SQL injections.

edited Jul 06 '20 at 18:38

answered Jul 06 '20 at 18:34

Teetrinker

575
5
15

If it is a typo, then pls comment and vote / flag to close. There is an explicit close reason for such questions. – Shadow Jul 06 '20 at 18:36
That fixed the error, thank you! – Mike Jul 06 '20 at 19:21

SQL syntax error: "com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax;"

1 Answers1