CODEWITHSUNDEEP
javamysqljdbc
Yassine Khalid
Yassine Khalid

Reputation: 3

com.mysql.jdbc.exception you have an error in your sql syntax;

I do not know why I have this error... please if someone can tell me whats wrong in this:

com.mysql.jdbc.exception you have an error in your sql syntax; check the manual that corresponds to your MySQL server version for the right syntax to use 

mat_pay="maybe";
Class.forName("com.mysql.jdbc.Driver");
connec = DriverManager.getConnection("jdbc:mysql://localhost/babe","root","");
stmt = connec.prepareStatement("INSERT INTO ? VALUES ( , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? ) ");
                stmt.setString(1,mat_pay);
                stmt.setInt(2,septembre.var_m_p_g1); //septembre.var_m_p_g1 has a value 'integer'
                stmt.setInt(3,id_g2); //septembre.var_m_p_g1 has a value 'integer'
                stmt.setInt(4,0);
                stmt.setInt(5,0);
                stmt.setInt(6,0);
                stmt.setInt(7,0);
                stmt.setInt(8,0);
                stmt.setInt(9,0);
                stmt.setInt(10,0);
                stmt.setInt(11,0);
                stmt.setInt(12,0);
                stmt.setInt(13,0);
                stmt.executeUpdate();

Upvotes: 0

Views: 822

Answers (1)

Jim Garrison
Jim Garrison

Reputation: 86774

You cannot substitute the table name with a ? placeholder. The statement must explicitly name the table. If you really must (SQL Injection vulnerable) do this you can build the statement dynamically using string formatting 

// assuming mat_pay is the name of a variable containing the table name
String query = String.format("INSERT INTO %s VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", mat_pay);

stmt = connec.prepareStatement(query);
stmt.setInt(1,septembre.var_m_p_g1); //septembre.var_m_p_g1 has a value 'integer'
stmt.setInt(2,id_g2); //septembre.var_m_p_g1 has a value 'integer'
stmt.setInt(3,0);
stmt.setInt(4,0);
stmt.setInt(5,0);
stmt.setInt(6,0);
stmt.setInt(7,0);
stmt.setInt(8,0);
stmt.setInt(9,0);
stmt.setInt(10,0);
stmt.setInt(11,0);
stmt.setInt(12,0);
stmt.executeUpdate();

The value in mat_pay should not be something entered by a user/client but be completely under your control and not subject to external manipulation. To do otherwise leaves you open to SQL Injection attacks.

Note you also had an extra comma at the beginning of the value list.

Upvotes: 1

Related Questions