stackoom
  简体   繁体   中英

I am trying to use variable in select query with like clause but getting an error like invalid identifier

 原文  2018-05-01 06:41:59       java/ oracle

Question

I am trying to use variable in select query with like clause but getting an error like invalid identifier. Here is my method... 

private void searchBooks(){

   try{
      String SEARCHFORTHIS=Find_Book_Field.getText();
      pst=conn.prepareStatement("SELECT * FROM BOOK WHERE NAME LIKE  '%'+ SEARCHFORTHIS +'%'");
      rs=pst.executeQuery();
      Show_All_Books.setModel(DbUtils.resultSetToTableModel(rs));
      }catch(SQLException e){
      e.printStackTrace();
      JOptionPane.showMessageDialog(null,e);
      }
    }

2 answers

solution1
 3  2018-05-01 07:30:30

NEVER use string concatenation to build a SQL statement with user-supplied text values.

Well, unless you really want your code to be susceptible to SQL Injection attacks, allowing a hacker to steal your data and delete your tables.

You're already using PreparedStatement , so use it right.

You should also use try-with-resources for correct resource management. 

private void searchBooks() {
    String SEARCHFORTHIS = Find_Book_Field.getText();
    String sql = "SELECT * FROM BOOK WHERE NAME LIKE ?";
    try (PreparedStatement stmt = conn.prepareStatement(sql)) {
        stmt.setString(1, "%" + SEARCHFORTHIS + "%");
        try (ResultSet rs = stmt.executeQuery()) {
            Show_All_Books.setModel(DbUtils.resultSetToTableModel(rs));
        }
    } catch (SQLException e){
        e.printStackTrace();
        JOptionPane.showMessageDialog(null,e);
    }
}

solution2
 1  2018-05-01 06:45:06

Try this 

try{
  String SEARCHFORTHIS=Find_Book_Field.getText();
  pst=conn.prepareStatement("SELECT * FROM BOOK WHERE NAME LIKE  '%"+ SEARCHFORTHIS +"%'");
  rs=pst.executeQuery();
  Show_All_Books.setModel(DbUtils.resultSetToTableModel(rs));
  }catch(SQLException e){
  e.printStackTrace();
  JOptionPane.showMessageDialog(null,e);
  }
}

Made changes in SELECT query only. you have not properly closed the double quote in it.

Note : completely agree with Andreas, we should use Preparedstatment, in this kind of scenarios, to prevent SQL Injection attacks.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Invalid Identifier when using LIKE query in Java I am trying to use a url xml parse but it looks like i keep getting an empty xml How to use placeholders in like clause in SQL query? spring and angulaJS(i am getting error like HTTP Status 404 ) Can anybody tell me what am i doing wrong with the following program? I am getting errors like <identifier expected> and " '; expected" Why am I getting a “cannot find symbol” error when trying to use a local variable? Can anyone tell me why I am getting a SQL*PLUS invalid identifier error? Why am I getting a Identifier expected error Why am I getting Error: identifier expected Why I am getting error "cannot find symbol" when I would like to use java.io.File class?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM