1

I can't find the correct syntax of the following query in java,please help me.

String st = "SELECT COUNT('"+id+"') FROM '"+selected_table+"' ";
String st = "SELECT COUNT('"+id+"') FROM '"+selected_table+"'";

I think that the mistake is how to end the query...

Since I got the error Check the manual that corresponds to your MySQL server version for the right syntax to use near ''Customer'' at line 1

when I choose Customer table

Thom Smith
14.1k6 gold badges49 silver badges99 bronze badges
asked Jul 25, 2012 at 20:52
6
  • 6
    Be careful with forming queries by concatenating strings that originate from the client since that opens up an injection vulnerability. Commented Jul 25, 2012 at 20:55
  • @Hyangelo, +1 for good point, but you think (given the implications from the quality of the question) that OP would understand the importance of that? Commented Jul 25, 2012 at 20:57
  • 2
    @mre good point as well but just felt I had to at least point out the potential danger. Commented Jul 25, 2012 at 20:58
  • and in case the OP doesn't know what exactly you mean: en.wikipedia.org/wiki/Sql_injection Commented Jul 25, 2012 at 21:00
  • since I am beginner , can you give some tips ,e.g which is the best way to combine Java code with SQL statements Commented Jul 25, 2012 at 21:16

4 Answers 4

2

You want to use backticks instead of single quotes around your object names.

String st = "SELECT COUNT(`"+id+"`) FROM `"+selected_table+"` ";
answered Jul 25, 2012 at 20:56
Sign up to request clarification or add additional context in comments.

Comments

0

Table names should be surrounded by tick marks (`), not single quotes (')

String st = "SELECT COUNT('"+id+"') FROM `"+selected_table+"`";
 ^ use tick marks ^
answered Jul 25, 2012 at 20:56

Comments

0

What are the values of id and selected_table? What is the actual query string that is sent to the database?

Also, it's rarely a good idea to manually build a query like this using string concatenation. This makes it very easy for a bug to result in a gaping security hole, and it's a lot more difficult (and risky) to try to secure this approach than it is to just do it right.

answered Jul 25, 2012 at 20:57

2 Comments

Both of the values are String
That's their type – but what would you expect their values to be?
0

Looks from your query that you are enclosing your id and selected_table in single quotes... For example, SELECT COUNT('ID') FROM 'CUSTOMER' which is wrong. should be in backtics `` or nothing...

answered Jul 25, 2012 at 20:59

1 Comment

Ok it works, in the FROM clause I use "+selected_table+" without ' ' and it works. Thank you very much guys.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.