1

I have this peace of code :

String query = "SELECT * FROM utilisateurs WHERE pseudo = '" +  pseudo.getText()+ "' AND password = '" + new String(password.getPassword()) + "'";

My question is : isn't there any other method to concat these variables with the string ?

In C# I was using the method String.Format() method as : 

String query = String.Format("SELECT * FROM utilisateurs WHERE pseudo = '{0}' AND password = '{1}'", pseudo.getText(), new String(password.getPassword()));
Improve this question
5
  • 14
    First, yes. There's a way. Second, don't do this with SQL. Use PreparedStatement instead. Commented May 14, 2013 at 20:50
  • @Makoto how can I use PreparedStatement in java ? Commented May 14, 2013 at 20:52
  • docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html Commented May 14, 2013 at 20:53
  • 3
    Also, hash and salt your passwords. Do not store plaintext passwords in databases. Commented May 14, 2013 at 20:53
  • 3
    Your SQL query appears vulnerable to injection attacks. Commented May 14, 2013 at 20:54

4 Answers 4

Reset to default
17

String.format() can be used to format Strings, Javadoc.

public static String format(String format, Object... args)

Returns a formatted string using the specified format string and arguments.

However when it comes to building SQL query strings the preferred way is to use PreparedStatement (Javadoc) as it:

  • protects you from SQL injection
  • allows the database to cache your query (build the query plan once)

Your code using a PreparedStatement might look like below:

final PreparedStatement pstmt = con.prepareStatement(
    "SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?");
pstmt.setString(1, pseudo.getText());
pstmt.setString(2, new String(password.getPassword()));
final ResultSet rs = pstmt.executeQuery();
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

okey, but when I used the query as a string, I used ResultSet result = st.executeQuery(query); to execute it, how can I excute that query if I used PreparedStatement ?
Call executeQuery() on the PreparedStatement instance (updated the code snippet).
4

As others have said, String.format is the direct equivalent, but you should use a PreparedStatement instead. From the documentation:

In the following example of setting a parameter, con represents an active connection: 

PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES
                                  SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)

Using a PreparedStatement instead of String.format will protect your code from SQL injection.

Improve this answer

Comments

1

Java has similar method to format your strings. String.format()

However, if you choose to use PreparedStatement, you can read the documentation here

From the documentation: 

PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)
Improve this answer

Comments

0

To answer your question directly, as others have mentioned as well, use String.Format, here is a good resource for that: How to use java.String.format in Scala?.

However, in this particular example, the real answer is not to do string substitution, but to use arguments in the SQL statement.

Something like:

query = 
String query = "SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?";
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, pseudo.getText());
ps.setString(2, password.getPassword());
ResultSet rs = ps.executeQuery();
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.