1

I have developed a java program and I need to update and insert the login details of users. I have two textfields created and two buttons name add user and edit the user. when I type the username and password in the two textfields the user added to the database successfully, the error is in the edit user, I want to update the password of the user based on username, I'm getting SQL error when trying to update the user,

here is my SQL query for updating the password of a user based on his username,

String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = "+JT_username1.getText();

when i execute im getting this error,

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Unknown column 
'sss' in 'where clause'

"sss" is what I entered to username field, Mysql database I have admin table which consists of two columns admin and username,

I cannot figure out where am I getting wrong, please any help would be highly appreciated.

Improve this question
5
  • You are missing quotes around JT_username1.getText(). Better: use placeholders. Commented Jan 20, 2017 at 7:34
  • you forgot single quote ...WHERE username = '"+JT_username1.getText()+"'" ; Commented Jan 20, 2017 at 7:34
  • 1
    Try using prepared statement. Commented Jan 20, 2017 at 7:35
  • 3
    Little Bobby Tables, we call him. xkcd.com/327 - yes, use prepared statements. Never ever copy data that some evil mind entered on your text field to your SQL. Never ever. Commented Jan 20, 2017 at 7:37
  • sir,thank you for you help Commented Jan 20, 2017 at 7:51

3 Answers 3

Reset to default
4

Your immediate problem is that you forgot to place single quotes around the username in your query. Hence, the database is interpreting sss as a column. But you should really be using prepared statements:

String query = "UPDATE Admin SET password=? WHERE username = ?";
PreparedStatement update = con.prepareStatement(query);
update.setString(JT_pass1.getText());
update.setString(JT_username1.getText());
update.executeUpdate();

There are many advantages to using prepared statements. First, it will automatically take care of proper escaping of strings and other types of data. In addition, it will prevent SQL injection from happening.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

To get this to work, you need to add quotes around the username like so:

  String sql = "UPDATE Admin SET password='"+JT_pass1.getText()+"' WHERE
username = '"+JT_username1.getText()+"'";

However, updating the database this way is vulnerable to SQL injection, so it would be much better to use Prepared Statements.

Improve this answer

Comments

1

To consider "JT_username1.getText()" as a part of you query string, you have to enclose it under proper quotation. Same like added "JT_pass1.getText()" between single and double quote, you have to add "JT_username1.getText()" as well.

String sql = "UPDATE Admin SET password='" + JT_pass1.getText() + "' WHERE username = '"+JT_username1.getText()+"'";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.