equivalent of String.Format() in Java

Question

I have this peace of code :

String query = "SELECT * FROM utilisateurs WHERE pseudo = '" +  pseudo.getText()+ "' AND password = '" + new String(password.getPassword()) + "'";

My question is : isn't there any other method to concat these variables with the string ?

In C# I was using the method String.Format() method as :

String query = String.Format("SELECT * FROM utilisateurs WHERE pseudo = '{0}' AND password = '{1}'", pseudo.getText(), new String(password.getPassword()));

First, yes. There's a way. Second, don't do this with SQL. Use `PreparedStatement` instead. — Makoto, May 14 '13 at 20:50
http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html — Alexis C., May 14 '13 at 20:53
Also, [hash and salt your passwords](http://crackstation.net/hashing-security.htm). Do not store plaintext passwords in databases. — hertzsprung, May 14 '13 at 20:53
Your SQL query appears vulnerable to [injection attacks](http://en.wikipedia.org/wiki/SQL_injection). — Esoteric Screen Name, May 14 '13 at 20:54

Adam Siemion · Accepted Answer · 2013-05-14T21:11:09.063

17

String.format() can be used to format Strings, Javadoc.

public static String format(String format, Object... args)

Returns a formatted string using the specified format string and arguments.

However when it comes to building SQL query strings the preferred way is to use PreparedStatement (Javadoc) as it:

protects you from SQL injection
allows the database to cache your query (build the query plan once)

Your code using a PreparedStatement might look like below:

final PreparedStatement pstmt = con.prepareStatement(
    "SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?");
pstmt.setString(1, pseudo.getText());
pstmt.setString(2, new String(password.getPassword()));
final ResultSet rs = pstmt.executeQuery();

edited May 14 '13 at 21:11

answered May 14 '13 at 20:50

Adam Siemion

15,569
7
58
92

okey, but when I used the query as a string, I used `ResultSet result = st.executeQuery(query);` to execute it, how can I excute that query if I used PreparedStatement ? – Azer Rtyu May 14 '13 at 21:07
Call `executeQuery()` on the `PreparedStatement` instance (updated the code snippet). – Adam Siemion May 14 '13 at 21:12

score 4 · Answer 2 · answered May 14 '13 at 20:54

As others have said, String.format is the direct equivalent, but you should use a PreparedStatement instead. From the documentation:

In the following example of setting a parameter, con represents an active connection:
PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES
                                  SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)

Using a PreparedStatement instead of String.format will protect your code from SQL injection.

score 1 · Answer 3 · answered May 14 '13 at 20:52

Java has similar method to format your strings. String.format()

However, if you choose to use PreparedStatement, you can read the documentation here

From the documentation:

PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?");
pstmt.setBigDecimal(1, 153833.00)
pstmt.setInt(2, 110592)

score 0 · Answer 4 · edited May 23 '17 at 10:28

To answer your question directly, as others have mentioned as well, use String.Format, here is a good resource for that: How to use java.String.format in Scala?.

However, in this particular example, the real answer is not to do string substitution, but to use arguments in the SQL statement.

Something like:

query = 
String query = "SELECT * FROM utilisateurs WHERE pseudo = ? AND password = ?";
PreparedStatement ps = connection.prepareStatement(query);
ps.setString(1, pseudo.getText());
ps.setString(2, password.getPassword());
ResultSet rs = ps.executeQuery();

equivalent of String.Format() in Java

4 Answers4