I am having some some class that is sending queries to data base. Everything was working fine when the query was in the code, but as it’s pretty big, I decided to put it in a file and to read it with buffered reader, but it’s not working, I always get this:
java.sql.SQLException: ORA-00900: invalid SQL statement
Here is my query:
SELECT p.first_name "FirstName", p.middle_name "MiddleName", p.last_name "LastName", p.birth_name "BirthName", p.mothers_name "MothersName", p.nick_name "NickName", p.username "Username", p.currency_id "Currency", p.preferred_language_id "PreferredLanguage", p.accepts_email "AcceptsEmail", p.birth_date "BirthDate", p.hear_about_us "HeardAboutUs", p.tax_category_id "TaxCategory", p.birth_place "BirthPlace", p.accepts_id_verification "AcceptsIdentityVerification", p.security_prompt "SecurityPrompt", p.gender_id "Gender", p.tracking_campaign_name "TrackingCampaign", p.accepts_sms "AcceptsSMS", p.accepts_promotional_sms "AcceptsPromotionalSMS", p.identification_number "IdentificationNumber", p.id_verified_id "IdentificationVerified", p.security_word "SecurityWord", p.ident_manual_verified_until "IdentificationManualVerified", p.accepts_chat "AcceptsChat", p.frequent_player_level_id "FrequentPlayerLevel", p.preferred_comm_channel "PreferredCommunicationChannel", p.is_reward_abuser "IsRewardAbuser", p.newsletter_id "Newsletter", p.accepts_rewards "AcceptsRewards", ci.postal_code "PostalCode", ci.country_id "Country", ci.region "Region", ci.email "Email", ci.address1 "Address1", ci.address2 "Address2", ci.address3 "Address3", ci.phone1 "Phone1", ci.phone2 "Phone2", ci.city "City", ci.mobile_phone "MobilePhone", ci.address_state_id "AddressVerified" FROM player p JOIN contact_info ci ON p.CONTACT_INFO_ID = ci.CONTACT_INFO_ID JOIN player_session ps ON p.PLAYER_ID = ps.PLAYER_ID WHERE ps.external_client_session_id = '$sessionID'Here is the code I am using:
String query = ""; try{ BufferedReader bufferedReader = new BufferedReader( new FileReader("templates\sqlQueries\GetPlayerDetails.txt") ); while(bufferedReader.readLine()!=null){ query = new StringBuilder().append(query).append(bufferedReader.readLine()).toString(); } } catch (FileNotFoundException e){ e.printStackTrace(); } catch (IOException e){ e.printStackTrace(); } query = query.replace("$sessionID", sessionID);Advertisement
Answer
You only need to escape your double-quotes in Java string literals. If you’re reading the SQL query from a file, Java will have no problem with the double-quotes unescaped in the file.
Take out all the escapes on the double-quotes in your file, and it should work fine.
p.first_name "FirstName", Also, create your StringBuilder before your while loop, so you you don’t start over each time, and that you don’t read two lines per iteration:
StringBuilder sb = new StringBuilder();String line;while ((line = bufferedReader.readLine()) != null){ sb.append(line);}query = sb.toString();Additionally, instead of replacing the single-quotes at the end for the session ID value (which would work), use a ? JDBC placeholder, and use a PreparedStatement to bind the session ID before you execute the query. That would prevent possible SQL injection attempts, e.g. if sessionID was the string:
Robert'); DROP TABLE players; --