CODEWITHSUNDEEP
javamysqlsql
SamSi
SamSi

Reputation: 31

SQL statement not adding the single quotes ( ' ')

Im writing a java program and I have a SQL statement that currently is outputting wrong: so the code is:

        String sql = "SELECT Name from Users WHERE Name LIKE "+t;

and the Output is:

SELECT Name from Users WHERE Name LIKE David

But I need it to be with single quotes how can I add that to be like:

SELECT Name from Users WHERE Name LIKE 'David'

how can I add those quotes?

Many thanks for the help

Upvotes: 0

Views: 402

Answers (2)

cdaiga
cdaiga

Reputation: 4937

Use a prepared statement to prevent sql injections.

String searchedName = "cdaiga";

String sql = "SELECT Name from Users WHERE UPPER(Name) LIKE '%?%'";

PreparedStatement preparedStatement = dbConnection.prepareStatement(sql);
preparedStatement.setString(1, (searchedName!=null? searchedName.toUpper(): ""));

// execute the SQL stetement
preparedStatement .executeUpdate();

ResultSet rs = preparedStatement.executeQuery();

// print the results if any is returned
while (rs.next()) {
   String name= rs.getString("Name");    
   System.out.println("name: " + name);
}

Note that a case insensitive search would be appropriate.

Upvotes: 1

Kushan
Kushan

Reputation: 5984

This is a very common mistake. I'm guessing you are using Statement class to create your query and executing it.

I'd like to suggest that you use prepared statements. It'll since your issue and help you with further issues.

PreparedStatement ps = yourconn.prepareStatement("select name from users where name like ?");

ps.setString(1,yoursearchedusername);

ResultSet rs = ps.executeQuery();

This will add your quotes. Plus it will prevent from sql injection attacks in future.

Your current query will also cause issues of your actual query has ' or ? Or any other sql wild card. Prepared statement avoids all these issues and helps with performance by having the sql already compiled and stored at db layer (if enabled)

Upvotes: 4

Related Questions