Java request.getParameter condition not checked

Question

I have the following code for requesting 4 parameter, and then creating a query from them.

String reason = request.getParameter("REASON");
String task = request.getParameter("TASK");
String result = request.getParameter("RESULT");
String resultCause = request.getParameter("RESULT_CAUSE");

public boolean isRowInTable(String reason, String task, String result, String resultCause)
        throws BusinessException {
    PreparedStatement prepStmt = null;
    ResultSet rs = null;
    StringBuffer queryB = new StringBuffer("");
    Boolean rowExists = null;
    queryB.append("select ")
            .append("* ").append("from ")
            .append("TABLE_NAME ").append("where ")
            .append("REASON = '").append(reason)
            .append("' AND TASK = '").append(task)
            .append("' AND RESULT = '").append(result);
    if (!(resultCause == "")) {
        queryB.append("' AND RESULT_CAUSE = '").append(resultCause);
    }
            queryB.append("'");

    .
    .
    .
}

When creating a query, the resultCause parameter on the page can be empty, so after googleing for the empty request, I've found, that the value will be an empty String in this case: "". So when checking, if the row exists in the database, I try to transform the query accordingly, and only append the where caluse, if it's not empty. But it seems like I'm doing something wrong here. Am I checking the resultCause in a correct way?

You are misusing prepared statements. Besides that, you want to use `equals` to compare String objects, not `==`. — nbokmans, May 19 '17 at 12:49
@Berger yeah probably.. thank you tough! nbokmans true.. thanks for calling out! — dmbdnr, May 19 '17 at 12:51

score 0 · Answer 1 · answered May 19 '17 at 12:49

0

I see an error here resultCause == ""

This should be the correct statement

resultCause == null || resultCause.isEmpty()

answered May 19 '17 at 12:49

freedev

25,946
8
108
125

score 0 · Accepted Answer · edited Sep 27 '17 at 20:26

You have to use equals(""):

if (!(resultCause.equals(""))) {..}

or you can use isEmpty():

if (!(resultCause.isEmpty())) {..}

But your solution can gives you a Syntax error, or and SQL Injection, instead you have to use PreparedStatement, for example :

queryB.append("select * from TABLE_NAME where REASON = ? AND TASK = ? AND RESULT = ?");
if (!(resultCause.isEmpty())) {
    queryB.append(" AND RESULT_CAUSE = ?");
}
prepStmt= connection.prepareStatement(queryB);

prepStmt.setString(1, reason);
prepStmt.setString(2, task);
prepStmt.setString(3, result);

if (!(resultCause.isEmpty())) {
   prepStmt.setString(4, resultCause);
}

thank you, works properly! and also big thank you for the pstmt part! — dmbdnr, May 19 '17 at 14:32

score 0 · Answer 3 · answered May 19 '17 at 12:52

0

Try this

if (!(resultCause.equals("")))

answered May 19 '17 at 12:52

Rafed Muhammad Yasir

439
8
16

Small note, there is one pair of redundant parenthesis i.e. `if (!(resultCause.equals("")))` == `if (!resultCause.equals(""))` – nbokmans May 19 '17 at 12:55

score 0 · Answer 4 · answered May 19 '17 at 12:59

0

Maybe just something like

String query = String.format("select * from TABLE_NAME 
        where REASON = ? AND TASK = ? AND RESULT = ?%s",
   resultCause.isEmpty()? "" : "AND RESULT_CAUSE = ?");

as a query string for PreparedQuery?

answered May 19 '17 at 12:59

gooamoko

658
12
32

Java request.getParameter condition not checked

4 Answers4