i have simple prepared statement updates records in mysql database. table, column, target attribute , information taken textfields. first made without prepared statement, program breakable if user chose insert quotes or %%$&^* other symbols.
now im getting this:
update client set 'full_name'=martinajh id='5'com.mysql.jdbc.exceptions.jdbc4.mysqlsyntaxerrorexception: have error in sql syntax; check manual corresponds mysql server version right syntax use near ''selectedtable2' set 'namec' = 'cellvalue' id== 5' @ line 1
string cellvalue3 = string.valueof( table.getvalueat(row, 0) ); int id = integer.parseint(cellvalue3); string selectedtable2 = (string) listoftablesnames.getselectedvalue(); string cellvalue = string.valueof( table.getvalueat(row, column) ); string namec = table.getcolumnname(column); string query ="update ? set ? = ? id== ?"; preparedstatement preparedstmt = (preparedstatement) conn.preparestatement(query); preparedstmt.setstring (1, "selectedtable2"); preparedstmt.setstring(2, "namec"); preparedstmt.setstring(3, "cellvalue"); preparedstmt.setint(4, id); preparedstmt.executeupdate();
you can't construct preparedstatement table name parameter. need contruct sql string concatenation/placeholder string.format. prepared statement column values not table name. in case:
string query ="update `" + selectedtablevar + "` set `" + fieldnamevar + "` = ? id = ?"; //... preparedstmt.setstring(1, "cellvalue"); preparedstmt.setint(2, id); also, id = ? @c. helling mentioned.
as sanitizing selectedtablevar , fieldnamevar variables, can't find link right now, can research valid qualifier in mysql... afaik, utf character valid, of special symbols may part of valid table name etc. using syntax suggested above should bother not allowing ` character prevent injection , guess that's it. must investigated.
Comments
Post a Comment