Using “like” wildcard in prepared statement
141
I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.
For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?
Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.
PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like ?");
pstmt.setString(1, notes);
ResultSet rs = pstmt.executeQuery();
java mysql jdbc prepared-statement
asked Nov 23 '11 at 19:28
ssnssn
92631322
add a comment |
141
I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.
For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?
Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.
PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like ?");
pstmt.setString(1, notes);
ResultSet rs = pstmt.executeQuery();
java mysql jdbc prepared-statement
asked Nov 23 '11 at 19:28
ssnssn
92631322
add a comment |
141
141
141
22
I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.
For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?
Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.
PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like ?");
pstmt.setString(1, notes);
ResultSet rs = pstmt.executeQuery();
java mysql jdbc prepared-statement
asked Nov 23 '11 at 19:28
ssnssn
92631322
I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.
For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?
Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.
PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like ?");
pstmt.setString(1, notes);
ResultSet rs = pstmt.executeQuery();
java mysql jdbc prepared-statement
java mysql jdbc prepared-statement
asked Nov 23 '11 at 19:28
ssnssn
92631322
asked Nov 23 '11 at 19:28
ssnssn
92631322
edited Jan 21 '12 at 1:34
user806549
asked Nov 23 '11 at 19:28
ssnssn
92631322
asked Nov 23 '11 at 19:28
ssnssn
92631322
asked Nov 23 '11 at 19:28
ssnssn
92631322
92631322
add a comment |
add a comment |
5 Answers
5
active
oldest
votes
239
You need to set it in the value itself, not in the prepared statement SQL string.
So, this should do for a prefix-match:
notes = notes
.replace("!", "!!")
.replace("%", "!%")
.replace("_", "!_")
.replace("[", "
Alain O'Dea
14.2k13456
answered Nov 23 '11 at 19:35
BalusCBalusC
851k29831523222
16
+1 The OP could "set" it in the SQL — as by... LIKE '%' || ? || '%'or similar — but that's much less flexible.
– pilcrow
Nov 23 '11 at 19:42
how do i do it with NON-CASE SENSITIVE mode? :)
– Alpha Gabriel V. Timbol
Aug 26 '15 at 13:52
1
Non-case-sensitive can still useWHERE UPPER(?) LIKE UPPER(?)when usingpstmt.setString(2, "%" + notes + "%")
– Zig
Nov 20 '15 at 17:30
1
@Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps'%' || ? || '%'as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.
– BalusC
Dec 23 '15 at 22:47
2
@BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.
– Alain O'Dea
Dec 24 '15 at 2:18
|
show 6 more comments
22
Code it like this:
PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like ?");
pstmt.setString(1, notes + "%");`
Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.
pstmt.setString(1,"'%"+ notes + "%'");
edited Sep 5 '17 at 12:36
Vlad Schnakovszki
5,10335092
answered Mar 14 '15 at 13:24
The Wedding WolfThe Wedding Wolf
23722
3
Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.
– Markus W Mahlberg
Mar 14 '15 at 14:01
1
Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!
– asgs
Jun 14 '15 at 20:27
add a comment |
4
PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");
ps.setString(1, name + '%');
Try this out.
answered Mar 10 '16 at 18:01
FaizFaiz
33525
add a comment |
1
String fname = "Samu0025";
PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");
ps.setString(1, fname);
edited Jun 13 '18 at 16:15
Young Emil
1,46011124
answered Nov 15 '17 at 13:27
Ram KumarRam Kumar
111
2
Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer
– Sketchy Coder
Nov 15 '17 at 13:32
add a comment |
-5
String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";
PreparedStatement preparedStatement=con.prepareStatement(query);
// where seleced and SelectedStr are String Variables in my program
edited Oct 5 '18 at 3:08
Jayendran
3,36931437
answered Oct 5 '18 at 0:33
mahesh dhotemahesh dhote
1
Unsafe + anti-pattern; downvoted.
– 6infinity8
Oct 12 '18 at 22:12
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f8247970%2fusing-like-wildcard-in-prepared-statement%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
239
You need to set it in the value itself, not in the prepared statement SQL string.
So, this should do for a prefix-match:
notes = notes
.replace("!", "!!")
.replace("%", "!%")
.replace("_", "!_")
.replace("[", "
