Java error SQL query

Asked

Viewed 543 times

1

I am trying to make a webapp in java , however I am beginner , in the login part of the app, I created a routine that receives as parameter an object and performs a search in the database according to the object that contains login=Tavio and password=123 .

My database has a table called users where it has 2 fields, user and password.

public boolean login(Cliente cliente)throws SQLException, Exception{
       String comando = "select senha from usuarios where usuario="+cliente.getLogin();       
       PreparedStatement stmt = con.prepareStatement(comando);      
       ResultSet rs = stmt.executeQuery();
       while(rs.next()){
           if (cliente.getSenha().equals(rs.getString("senha"))){
               return true;
           }
       }
       return false;
    }

but this giving this error:

Exception in thread "main" java.sql.SQLSyntaxErrorException: A coluna 'OTAVIO' não está presente em nenhuma tabela da lista FROM, ou aparece dentro de uma especificação de junção e está fora do escopo da especificação de junção, ou aparece em uma cláusula HAVING e não está na lista GROUP BY. Se esta for uma instrução CREATE ou ALTER TABLE, então, 'OTAVIO' não é uma coluna da tabela de destino.
at org.apache.derby.client.am.SQLExceptionFactory40.getSQLException(Unknown Source)
at org.apache.derby.client.am.SqlException.getSQLException(Unknown Source)
at org.apache.derby.client.am.Connection.prepareStatement(Unknown Source)
at persistencia.Usuario.login(Usuario.java:32)
at Control.teste.main(teste.java:24)
Caused by: org.apache.derby.client.am.SqlException: A coluna 'OTAVIO' não está presente em nenhuma tabela da lista FROM, ou aparece dentro de uma especificação de junção e está fora do escopo da especificação de junção, ou aparece em uma cláusula HAVING e não está na lista GROUP BY. Se esta for uma instrução CREATE ou ALTER TABLE, então, 'OTAVIO' não é uma coluna da tabela de destino.
at org.apache.derby.client.am.Statement.completeSqlca(Unknown Source)
at org.apache.derby.client.net.NetStatementReply.parsePrepareError(Unknown Source)
at org.apache.derby.client.net.NetStatementReply.parsePRPSQLSTTreply(Unknown Source)
at org.apache.derby.client.net.NetStatementReply.readPrepareDescribeOutput(Unknown Source)
at org.apache.derby.client.net.StatementReply.readPrepareDescribeOutput(Unknown Source)
at org.apache.derby.client.net.NetStatement.readPrepareDescribeOutput_(Unknown Source)
at org.apache.derby.client.am.Statement.readPrepareDescribeOutput(Unknown Source)
at org.apache.derby.client.am.PreparedStatement.readPrepareDescribeInputOutput(Unknown Source)
at org.apache.derby.client.am.PreparedStatement.flowPrepareDescribeInputOutput(Unknown Source)
at org.apache.derby.client.am.PreparedStatement.prepare(Unknown Source)
at org.apache.derby.client.am.Connection.prepareStatementX(Unknown Source)
... 3 more

Java Result: 1

  • 1

    The mistake says A coluna 'OTAVIO' não está presente em nenhuma tabela da lista FROM. Already tried to write the string comando somewhere in the program and run it in some database manager program?

  • has worked and.

2 answers

5

Avoid throwing the values informed by the user directly in the query, use Prepared statements to not give chance to sql Injection. Error aconetce because it is missing simple quotes around the value that is returned by getLogin().

To correct do as follows.

String comando = "select senha from usuarios where usuario = ?";
PreparedStatement stmt = con.prepareStatement(comando); 
stm.setString(1, cliente.getLogin());
ResultSet rs = stmt.executeQuery();

Queries are replaced by values sequentially if there was one more parameter it would be the number two and so on.

Ex:

String comando = "SELECT * FROM usuarios where usuario = ? AND senha = ? and token = ?";
PreparedStatement stmt = con.prepareStatement(comando); 
stm.setString(1, cliente.getLogin());--------------------^
stm.setString(2, cliente.getSenha());----------------------------------^
stm.setString(3, cliente.getToken());-----------------------------------------------^
  • in case if you had two values returned by getLogin and getQualquerCoise. Just put two questions? for example: WHERE usuario = ? AND ANYTHING = ?

  • And in stm.setString set 2 for anything?

  • @Joãoneto, would be more or less that, stay tuned to use the method set() with the right guy.

  • Hmmm, got it. Very good, thanks =)

3

The error is here

"select senha from usuarios where usuario="+cliente.getLogin(); 

the "right" is

"select senha from usuarios where usuario= '"+cliente.getLogin()+"'"; 

see that it has a simple quote wrapped client.getLogin()

But never do this direct concatenation in String sql, so it is very easy to make an Injection sql and easily your database will be in danger. Correct is you parameterize the arguments, as the colleague 'Lost' explained.

String comando = "select senha from usuarios where usuario = ?";
PreparedStatement stmt = con.prepareStatement(comando); 
stm.setString(1, cliente.getLogin());
ResultSet rs = stmt.executeQuery();

Browser other questions tagged

You are not signed in. Login or sign up in order to post.