Quote:
String query = "update cart" + name + " set productname="+productname+" ,productquantity=" + productquantity2 + " ,productsize = "+ productsize + " ,productcode = "+productcode+",imageurl="+imageurl+" where id=" + id2;
That's not how parameters work. Your code is injecting the values directly into the query, which leaves you vulnerable to SQL Injection.
When you pass that query to the
PreparedStatement
, it sees that there are no parameter placeholders in the query. When you then try to set the value of the first parameter, you get an exception because there are no parameters.
Update your query to use proper parameter placeholders:
String query = "update cart set productname = ?, productquantity = ?, productsize = ?, productcode = ?, imageurl = ? where id = ?";
This will fix your error, and the SQL Injection vulnerability in your code.
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]