Home/ Questions/Q 9218369
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T02:50:51+00:00

how would i write this sql statement without a hard coded value? resultSet =

  • 0

how would i write this sql statement without a hard coded value?

resultSet = statement
    .executeQuery("select * from myDatabase.myTable where name = 'john'");
// this works

rather have something like:

String name = "john"; 
resultSet = statement
    .executeQuery("select * from myDatabase.myTable where name =" + name);
// Unknown column 'john' in 'where clause' at
// sun.reflect.NativeConstructorAccessorImpl.newInstance0...etc...

thanks in advance..

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is a terrible idea to construct SQL queries the way you currently do, as it opens the door to all sorts of SQL injection attacks. To do this properly, you’ll have to use Prepared Statements instead. This will also resolve all sorts of escaping issues that you’re evidently having at the moment.

    PreparedStatement statement = connection.prepareStatement("select * from myDatabase.myTable where name = ?");    
statement.setString(1, name);    
ResultSet resultSet = statement.executeQuery();

    Note that prepareStatement() is an expensive call (unless your application server uses statement caching and other similar facilities). Theoretically, it’d be best if you prepare the statement once, and then reuse it multiple times (though not concurrently):

    String[] names = new String[] {"Isaac", "Hello"};
PreparedStatement statement = connection.prepareStatement("select * from myDatabase.myTable where name = ?");

for (String name: names) {
    statement.setString(1, name);    
    ResultSet resultSet = statement.executeQuery();
    ...
    ...
    statement.clearParameters();
}
    • 0