CODEWITHSUNDEEP
javamysql
JHRS
JHRS

Reputation: 365

Java Preparedstatement error when reading from MySql Database

I'm working on a simple application that pulls data from a local database. The below code works fine when I use a string for the SQL query, but I can not get it to work with PreparedStatement. I have reviewed similar problems posted here but most of those were caused by doing this, preparedStmt.executeQuery(query); instead of this preparedStmt.executeQuery(); Here is the code,

    private final String POSTTITLE=     "posttitle"; // DB Column name
    private final String POSTCONTENT=   "content"; // DB Column name

   public String getDbContent(){
        try{
            String query ="select values(?, ?) from blog";
            PreparedStatement preparedStmt = this.connect.prepareStatement(query);
            preparedStmt.setString (1,POSTTITLE);
            preparedStmt.setString (2,POSTCONTENT);
            ResultSet rs = preparedStmt.executeQuery();
            rs.next();
            return(rs.getString(this.POSTCONTENT)); //Will replace with loop to get all content
        } catch(Exception e) {
           System.err.println("Error Reading database!");
           System.err.println(e);
           return("Error: "+e);
        }
    }

This is the error I get: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''posttitle', 'content') from blog' at line 1

Upvotes: 1

Views: 238

Answers (3)

ipper
ipper

Reputation: 784

Try this:

String query ="select POSTTITLE, POSTCONTENT from blog";
PreparedStatement preparedStmt = this.connect.prepareStatement(query);
ResultSet rs = preparedStmt.executeQuery();
rs.next();

There is no need to use field names as parameter.

Upvotes: 0

Beri
Beri

Reputation: 11600

Try concatenating select query:

String query ="select "+POSTTITLE+","+POSTCONTENT+" from blog";

Remember that prepared statements are for values, not query parameters, for them we use simply concatenations.

Upvotes: 0

Jon Skeet
Jon Skeet

Reputation: 1499770

Parameters in prepared statements are for values - you're trying to use them to select fields. They just don't work that way.

In this very specific instance, you'll need to make the SQL dynamic. However, you'll want to make sure that whatever code you have to allow your columns to be specified is tightly constrained to avoid SQL injection attacks. (For example, you could have an enum with the columns in, or a whitelist of allowed values.)

Upvotes: 2

Related Questions