0

I'm trying to print a list (of only 1 item) but my JPQL statement isn't working due to quotations. I've tried every combination possible it seems but none will work. If anyone has any suggestions or different approaches I'd appreciate it. Note: I found a somewhat similar question on the site before I posted this but the answers aren't working for my case. Thanks

String submittedName=request.getParameter("name");
user=entityManager.find(user.getClass(),submittedName);
        Query myQuery=entityManager.createQuery
                ("SELECT u.password FROM UserData u WHERE u.name=''"+submittedName+"");
        List results=myQuery.getResultList();
        String convertedResults=results.get(0).toString();
        out.println(results);
kellzer
  • 131
  • 1
  • 3
  • 18
  • You do realize that in the actual query you're making (at least in the code you've posted), whatever `submittedName` is ends up *outside* the quotations, right? – Dennis Meng Feb 15 '14 at 03:47
  • Ignore your problem with quotes. Don't ever concatenate strings that you receive from a user into a query like you are trying to do. This is just begging to have your database hacked. Ever hear of Bobby Tables? http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work – Rob Feb 15 '14 at 04:54

1 Answers1

1

To summarize what Dennis and Rob are trying to say:

String submittedName=request.getParameter("name");
user=entityManager.find(user.getClass(),submittedName);
Query myQuery=entityManager.createQuery("SELECT u.password FROM UserData u WHERE u.name=:name");
myQuery.setParameter("name", submittedName);
List results=myQuery.getResultList();
String convertedResults=results.get(0).toString();
out.println(results);
Pace
  • 41,875
  • 13
  • 113
  • 156