Java – SQL SELECT statement with where clause

2020-08-06 • Java

How do I write this SQL statement without a hard coded value?

resultSet = statement
    .executeQuery("select * from myDatabase.myTable where name = 'john'");
// this works

But something similar:

String name = "john"; 
resultSet = statement
    .executeQuery("select * from myDatabase.myTable where name =" + name);
// UnkNown column 'john' in 'where clause' at
// sun.reflect.NativeConstructorAccessorImpl.newInstance0...etc...

Thank you in advance

Solution

Building SQL queries in your current way is usually a bad idea because it opens the door to various SQL injection attacks To perform this operation correctly, you must use prepared statements This will also solve all kinds of evasion problems that are obvious to you at present

PreparedStatement statement = connection.prepareStatement("select * from myDatabase.myTable where name = ?");    
statement.setString(1,name);    
ResultSet resultSet = statement.executeQuery();

Note that preparestatement () is an expensive call (unless your application server uses statement caching and other similar tools) In theory, it is best to prepare a statement once and then reuse it many times (although not at the same time):

String[] names = new String[] {"Isaac","Hello"};
PreparedStatement statement = connection.prepareStatement("select * from myDatabase.myTable where name = ?");

for (String name: names) {
    statement.setString(1,name);    
    ResultSet resultSet = statement.executeQuery();
    ...
    ...
    statement.clearParameters();
}

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.

THE END

Java

二维码

Java – where to restore the user’s purchase within the application?

< <上一篇

Java – why does this nested ArrayList code throw an exception?

下一篇>>

搜索内容

Java – SQL SELECT statement with where clause

Solution

热门文章