Jump to Real's How-to Main page

INSERT data into a table

Note:the MyConnection class was used to connect to the DB

Statement stmt;
String sql;     
int rows;       

sql = "INSERT INTO tCust " 
    + "(custId, custName, custAddr) "
    + "VALUES "
    + "('" + custId   + "',"
    + "('" + custName + "',"
    + "('" + custAddr + "')";

stmt = theConn.createStatement(); 
rows = stmt.executeUpdate(sql); 
theConn.dbConn.commit(); 
stmt.close();
You need to be aware to the snippet above contains a SQL Injection vulnerability. String concatentation of this form can only be used if you first validate the fields to include only alphanumeric characters. Even, then it is generally considered bad practice when prepared statements solve this problem more cleanly. This is especially when you in a Web application environnement.

Thanks to Lawrence Angrave for the warning.

Before inserting data containing quotes, you may need to double them (so "Real's HowTo" -> "Real''s HowTo"). You can use the following function to "prepare" your string. 
public static String convertString(String source) {
  StringBuffer sb = new StringBuffer();

  for(int i = 0; i < source.length(); i++){
    sb.append(source.charAt(i));
    if(source.charAt(i)=='\'') sb.append('\'')
    }
  return sb.toString();
}

Or you can use a PreparedStatement to insert data containing QUOTES 

PreparedStatement stmt = null;
String sql;     
int rows;       

try {
  sql = "INSERT INTO tCust" 
        + "(custName) "
        + "VALUES "
        + "(?)";
  stmt = theConn.prepareStatement(sql); 
  stmt.setString(1, "Name with \" are permitted!"); 
  rows = stmt.executeUpdate(); 
  theConn.commit(); 
  stmt.close(); 
  System.out.println(sql);             
  }
catch (Exception e){ 
  e.printStackTrace(); 
}

The character "\" can be difficult to use in an INSERT statement since "\" is considered as an escape character in Java (and probably by the database also). 

stmt.executeUpdate("INSERT INTO mytable VALUES('\\')");
may generate a SQL Exception even if the "\" is escaped for Java because you need to escape it again for the database. At the end, you need to use "\\\\" to INSERT a simple "\". 
stmt.executeUpdate("INSERT INTO mytable VALUES('\\\\')");
If you find this article useful, consider making a small donation
to show your support for this Web site and its content.

Written and compiled by Réal Gagnon ©1998-2005
[ home ]