0

I do not know why I have this error... please if someone can tell me whats wrong in this:

com.mysql.jdbc.exception you have an error in your sql syntax; check the manual that corresponds to your MySQL server version for the right syntax to use 

mat_pay="maybe";
Class.forName("com.mysql.jdbc.Driver");
connec = DriverManager.getConnection("jdbc:mysql://localhost/babe","root","");
stmt = connec.prepareStatement("INSERT INTO ? VALUES ( , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? ) ");
                stmt.setString(1,mat_pay);
                stmt.setInt(2,septembre.var_m_p_g1); //septembre.var_m_p_g1 has a value 'integer'
                stmt.setInt(3,id_g2); //septembre.var_m_p_g1 has a value 'integer'
                stmt.setInt(4,0);
                stmt.setInt(5,0);
                stmt.setInt(6,0);
                stmt.setInt(7,0);
                stmt.setInt(8,0);
                stmt.setInt(9,0);
                stmt.setInt(10,0);
                stmt.setInt(11,0);
                stmt.setInt(12,0);
                stmt.setInt(13,0);
                stmt.executeUpdate();
Improve this question
2
  • There might be more problems, but it's hard to tell because you didn't bother to format your code. You're asking people to help you, so it's in your own best interested to make it easy for them to do so. Commented Aug 21, 2016 at 2:32
  • Post (add to your question using edit) the exact SQL you expect to execute. Commented Aug 21, 2016 at 2:36

1 Answer 1

Reset to default
1

You cannot substitute the table name with a ? placeholder. The statement must explicitly name the table. If you really must (SQL Injection vulnerable) do this you can build the statement dynamically using string formatting 

// assuming mat_pay is the name of a variable containing the table name
String query = String.format("INSERT INTO %s VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", mat_pay);

stmt = connec.prepareStatement(query);
stmt.setInt(1,septembre.var_m_p_g1); //septembre.var_m_p_g1 has a value 'integer'
stmt.setInt(2,id_g2); //septembre.var_m_p_g1 has a value 'integer'
stmt.setInt(3,0);
stmt.setInt(4,0);
stmt.setInt(5,0);
stmt.setInt(6,0);
stmt.setInt(7,0);
stmt.setInt(8,0);
stmt.setInt(9,0);
stmt.setInt(10,0);
stmt.setInt(11,0);
stmt.setInt(12,0);
stmt.executeUpdate();

The value in mat_pay should not be something entered by a user/client but be completely under your control and not subject to external manipulation. To do otherwise leaves you open to SQL Injection attacks.

Note you also had an extra comma at the beginning of the value list.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.