sql syntax in java with string

Question

I have this query( the parameters of the query are given by input: both table and name and password are string given by text field.

//...
ResultSet rs = st.executeQuery("select * " + 
                               "from `"+ table + "` " +
                               "where Name='" + name + "' " + 
                               "  and Password='" + password + "'");

and after this i don't understand why i can't enter in this if:

else if (table=="products"){
    // ...
}

and therefore I can not go along with the program

While you're at it, please read up on [prepared statements](http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html), putting user strings into SQL is something you need to know to never do. — Philipp Gayret, Jan 18 '14 at 18:44
no exception,no errors, I put a simple print in the if and i don't receive anything in output — OiRc, Jan 18 '14 at 18:45

score 0 · Answer 1 · answered Jan 18 '14 at 19:01

0

your ans:

 you need to use String.equals

Suggestion:

 please use PREPARED STATEMENT. Simple statement is not secured as well as for other reason its not good to use.

answered Jan 18 '14 at 19:01

murtaza.webdev

3,523
4
22
32

score 0 · Answer 2 · answered Jan 18 '14 at 19:08

When you do if(table == "products"), Java will do a deep comparison of the two strings and since the two string objects are different (even though they have the same text), the code section will not execute as the condition evaluates to false. You could try table.equals("products"). This will just compare the text of the two strings.

score 0 · Accepted Answer · answered Jan 18 '14 at 19:36

The == operator compares hash values of the two objects. Only if they both have the same hash value will it return true. Always use the str1.equals(str2) method to compare Strings.

Also using prepared statements will help prevent SQL injection, a dangerous form of hacking. See here for an example of why this is dangerous.

sql syntax in java with string

3 Answers3