0

My question is that I want to retrieve marks between a lowest and highest range from a database. The user is prompted to enter the lowest and highest range from the keyboard. I have a problem in my sql query where it is not recognising the cpa1 & cpa2 range that I have specified from the keyboard input. Please help.

See my codes below:

try{
    Scanner input = new Scanner(System.in);
    System.out.print("Kindly enter the lowest CPA threshold : ");
    cpa1 = input.nextFloat();

    System.out.println();

    System.out.println("Kindly enter highest CPA threshold : ");
    cpa2 = input.nextFloat();

     rs = stt.executeQuery("SELECT * FROM student WHERE CPA BETWEEN `cpa1` and `cpa2` order by CPA asc");
     while(rs.next()){
         String id = rs.getString("student_id");
         String name = rs.getString("student_name");
         String gender = rs.getString("gender");
         float cpa = rs.getFloat("CPA");
         Date enrol = rs.getDate("enrollment_date");

         try{
             FileWriter writer = new FileWriter("StudentRange.txt");

         }catch(Exception e){
             e.printStackTrace();
         }
     }
     input.close(); 
}catch(Exception e){
    e.printStackTrace();
}
Improve this question
2
  • What class is stt? I highly doubt you can specify the cpa1 and cpa2 substitution values like you are doing with executeQuery. Commented May 2, 2015 at 17:32
  • stt is the Statement Commented May 2, 2015 at 17:34

2 Answers 2

Reset to default
2

This

rs = stt.executeQuery("SELECT * FROM student WHERE CPA BETWEEN `cpa1` and `cpa2` order by CPA asc");

is not how you build a SQL query with parameters. Use a prepared statement:

String query = "SELECT * FROM student WHERE CPA BETWEEN ? and ? order by CPA asc";
PreparedStatement ps = con.prepareStatement(query);
ps.setFloat(1, cpa1);
ps.setFloat(2, cpa2);
ps.execute(ps);
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

how can I sue prepared statement with insert?
At conn.execute(ps) .. It is giving me an error as "The method execute(PreparedStatement) is undefined for the type Connection"
Sorry, that's execute on the PreparedStatement. But that is easy to find out if you read the JDBC tutorial and the documentation. SO is not a site where we solve your problem for you and you just sit back and wait for the solution. Do some work yourself!
Thanks man ! I edited your answer. The problem is resolved :)
-1

What about that:

rs = stt.executeQuery(String.format("SELECT * FROM student WHERE CPA BETWEEN `%f` and `%f` order by CPA asc", cpa1, cpa2);
Improve this answer

10 Comments

No! This opens a huge hole for SQL injection attacks.
@Tichodroma The values are of type float, not String. There is no security issue here.
@pathfinderelite Maybe in this special case. But it is a very bad habit to build SQL like this. Don't do it, even if you think you have everything under control.
I got no mysql running but i assume it has to be something like "SELECT * FROM student WHERE CPA BETWEEN %f and %f order by CPA asc" (without the quotes around the numbers)
@chris Please don't do this. It is very bad advice.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.