Exception in query

Question

I'm getting an error while executing following select query:

ResultSet rs = St.executeQuery("select * from login where username="+username+"and password ="+password);

And the exception is

java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended.

Please let me know if the query is wrong syntactically.

bpgergo · Answer 1 · 2012-05-21T17:35:20.107

Use at least parameters (named parameters are even better). Concatenating values into SQL string is error prone and unsafe. E.g.:

Statement stmt = null;
String query = "select * from login where username=? and password=?";
try {
        stmt = con.createStatement();
        stmt.setString(1, username);
        stmt.setString(2, password);
        ResultSet rs = stmt.executeQuery(query);
        while (rs.next()) {
           //...
        }
    } catch (SQLException e ) {
        //TODO handle e
    } finally {
        if (stmt != null) { stmt.close(); }
    }
}

score 1 · Answer 2 · answered May 17 '12 at 12:47

There's no space between your username and the and keyword. This will parse to

select * from login where username=usernameand password =password

You're also missing single quotes around the values you're inserting into the statement. Try:

ResultSet rs = St.executeQuery("select * from login where username = '" + username + "' and password = '" + password + "'");

I'd also recommend reading about Using Prepared Statements in the Java Tutorials.

Alexander Zhugastrov · Answer 3 · 2012-05-17T12:58:07.240

1

values for username and password should be in quotes

ResultSet rs = St.executeQuery("select * from login where username='" + username + "' and password ='" + password + "'");

edited May 17 '12 at 12:58

answered May 17 '12 at 12:50

Alexander Zhugastrov

12,678
2
20
22

score 0 · Answer 4 · edited May 23 '17 at 10:34

0

Try this (you are missing few white spaces and quote marks):

ResultSet rs = 
  St.executeQuery(
    "select * from login where username=\""+username+"\" and password =\""+password + "\"");

Also read about Named parameters in JDBC and SQL injection.

edited May 23 '17 at 10:34

Community

1
1

answered May 17 '12 at 12:48

Tomasz Nurkiewicz

334,321
69
703
674

score 0 · Accepted Answer · answered May 17 '12 at 12:48

0

single quotations are missing before the value and password ,I think it should be :

ResultSet rs = St.executeQuery("select * from login where username='"+username+"' and password ='"+password+"'");

answered May 17 '12 at 12:48

a.u.r

1,253
2
21
32

score 0 · Answer 6 · edited May 17 '12 at 17:53

ResultSet rs = St.executeQuery("select * from login where username='"+username+"' and password ='"+password+"'");

Best way to execute query take it out and try it on your own... for ex.

String query = "select * from login where username='"+username+"' and password = '"+password+"'";

//Print your query and execute it in your sql client you ll get to know if it works!
System.out.println(query);

ResultSet rs = St.executeQuery(query);

Exception in query

6 Answers6