Problem in SELECT QUERY

Hi All,

i am new to the world of data base,facing a small problem. i am developing an application where i have to authenticate the user from the database.

it is a web based from from where i have to pick the user ID nad password, up to this everything is working fine.

i am able to get the connection properly,but facing problem while using the select query,

i have a user whose ID is aum. when i am using the query like this

rSet=stmt.executeQuery("SELECT * FROM user WHERE userName='"+"aum"+"'");

here i am entering the username as static value i.e aum

butif i am trying dynamic values like if i am trying to use variable in placve of aum like this:

rSet=stmt.executeQuery("SELECT * FROM user WHERE userName='uName'");
or rSet=stmt.executeQuery("SELECT * FROM user WHERE userName='"+"uName"+"'");

where uNAme is a string type and is used to store the user ID of the user from the front end which it is storing properly

in this case using variable it is giving that result set is empty while the userID in the varibale is perfecdtly fine..


any pointer in correcting the problem is much appriciated..

--thanks in advance
umesh

Your code is putting the variable uName within the String; it will be treated as a part of the String and not as a variable. Modify that line as:


If you want to get over the jugglery of adding single-quotes around Strings, make use of PreparedStatement - http:// java(dot)sun(dot)com/docs/books/tutorial/jdbc/basics/prepared.html

1 more cent., you might always think of escaping variables when making a SQL sentence to avoid any SQL injection (most likely your uName variable was entered at some point by a user).

An easy way to do this is with the Apache Commons Lang package StringEscapeUtils class.

PreparedStatement can solve that problem without requiring a third party package.

True, it just applies to escenarios where you want to construct your sentence and use a normal statement.