SQL Command to search from Java program

Question

I am attempting to allow keyboard input from my Java Project to search for a Car License number (VARCHAR), from my database. I am getting an error in my tester class about SQL syntax error. What would be the correct procedure so that when I search for a license it will display that license. Thanks in advance

public Car getCar(String searchLicense) {
    Car foundCar = new Car();
    try {
        Class.forName("com.mysql.jdbc.Driver");
        Connection conn = DriverManager.getConnection(url + dbName, userName, password);
        statement = conn.createStatement();
        resultSet = statement.executeQuery(
                "select * from eflow.registration.cLicense where="+searchLicense);

        while (resultSet.next()) {
            foundCar = new Car(resultSet.getInt("cID"), resultSet.getString("cLicense"),
                    resultSet.getInt("cJourneys"), resultSet.getString("cUsername"),
                    resultSet.getString("cPassword").toString());
        }
        conn.close();
    } catch (Exception e) {
        e.printStackTrace();
    }
    return foundCar;
}

Answer 1

You missing single quote and column name also..

resultSet = statement.executeQuery(
                    "select * from eflow.registration.cLicense where cLicenseName='"+searchLicense+"'");

Better solution,try this..

  resultSet = statement.executeQuery(
                "select * from eflow.registration.cLicense where cLicenseName like '%"+searchLicense+"%'");

Answer 2

The direct problem you're talking about it that you are missing quotation on your query, since it is a string. so what @Dakoda suggested in the comments should solve it.

however, the bigger issue here is that you are vulnerable to SQL injection, as you are allowing user input into your query. If I'll put input like xxx' or 'a' ='a I'll be able to fetch your entire database.

You should use parameterized query to protect yourself