Getting a true(1) or false(0) from specific sql statement

Question

I need help with the code below and getting it to return a true or false value. Any and all help would be appreciated.

    public synchronized static boolean checkCompanyName(String companyName,
        Statement statement) {
    try {

        ResultSet res = statement
                .executeQuery("SELECT `companyName` FROM `companys` WHERE companyName = '"
                        + companyName + "';");
        boolean containsCompany = res.next();

        res.close();

        return containsCompany;

    } catch (Exception e) {
        e.printStackTrace();
        return false;
    }

}

Answer 1

Try to make your query like this:

ResultSet res = statement.executeQuery("SELECT companyName FROM companys WHERE companyName = " + companyName);

Or you can either you PreparedStatement which is better then you did before

Answer 2

Two comments:

1. You only need to check if there's at least one row matching your criteria, so you can use .first()
2. Your code is vulnerable to SQL Injection attacks. Please read this to learn more about it.

The easiest way to avoid SQL injection attacs is to use prepared statements . So let me strike two birds with a single stone and give you a solution using them:

/*
Check if the company exists.
Parameters:
  conn    -  The connection to your database
  company - The name of the company
Returns:
  true if the company exists, false otherwise
*/
public static boolean checkCompanyName(Connection conn, String company) {
    boolean ans = false;
    try(PreparedStatement ps = conn.prepareStatement(
            "select companyName from companies where companyName = ?"
        ) // The question mark is a place holder
    ) {
        ps.setString(1, company); // You set the value for each place holder
                                  // using setXXX() methods
        try(ResultSet rs = ps.executeQuery()) {
            ans = rs.first();
        } catch(SQLException e) {
            // Handle the exception here
        }
    } catch(SQLException e) {
        // Handle the exception here
    }
    return ans;
}

Suggested reads:

• Bobby Tables: A guide to preventing SQL injection
• The Java Tutorials - JDBC: Using prepared statements

Answer 3

You should be using a PreparedStatement (for that end pass the Connection in to the method). Also, you should retrieve the value from the ResultSet and validate it matches your companyName . Something like

static final String query = "SELECT `companyName` FROM "
    + "`companys` WHERE companyName = ?";

public synchronized static boolean checkCompanyName(String companyName,
        Connection conn) {
    PreparedStatement ps = null;
    ResultSet rs = null;
    try {
        ps = conn.prepareStatement(query);
        ps.setString(1, companyName);
        rs = ps.executeQuery();
        if (rs.next()) {
            String v = rs.getString(1);
            return v.equals(companyName);
        }
    } catch (Exception e) {
        e.printStackTrace();
    } finally {
        if (rs != null) {
            try {
                rs.close();
            } catch (SQLException e) {
            }
        }
        if (ps != null) {
            try {
                ps.close();
            } catch (SQLException e) {
            }
        }
    }
    return false;
}