0

hello everyone i am trying to make this search bar in java but when i search without typing double quotation i get this error

search error image

but when i type numbers or words with double quotation it works just fine

searching with double quotation image

here is my code

Code image


private void jButton_Show1ActionPerformed(java.awt.event.ActionEvent evt) {                                              
      try{
          String Accounts_Choose_Value = jTextField1.getText();
          // Accounts_Choose_Value = (String) Accounts_jComboBox_Choose_Value.getSelectedItem();
                  
          if(Accounts_Choose_Value.equals(Accounts_Choose_Value)){
              String sql = "SELECT * FROM accounts WHERE URL="+Accounts_Choose_Value;
        con= DriverManager.getConnection("jdbc:mysql://localhost/accountmanagerdb","root","");
              Statement s = con.prepareStatement(sql);
              ResultSet rs =s.executeQuery(sql);
              if(rs.next()){
                  String Account_User_Name =rs.getString(2);
                  String Account_Email =rs.getString(3);
                  String Account_Password =rs.getString(4);
                  String Account_Backup_Codes =rs.getString(5);
                  
                  jLabel_Account_User_Name.setText(Account_User_Name);
                  jLabel_Account_Email.setText(Account_Email);
                  jLabel_Account_Password.setText(Account_Password);
                  jLabel_Account_Backup_Codes.setText(Account_Backup_Codes);
              }
          }
      } catch (SQLException ex) {
                    JOptionPane.showMessageDialog(null, ex,
                            "Database",JOptionPane.ERROR_MESSAGE);        
      
      }
      
    }

ididn't wirte anything in the textfield

private void jTextField1ActionPerformed(java.awt.event.ActionEvent evt) {                                            
        // TODO add your handling code here:
    }
Yahya
  • 5
  • 3

1 Answers1

-2

Change this one line But beware of SQL injection

String sql = "SELECT * FROM accounts WHERE URL=\""+Accounts_Choose_Value+"\"";

Basically you need to wrap the where clause entry in double quotes your first query generates

SELECT * FROM accounts WHERE URL=google

Which means you are asking give me all rows which have column value URL equal to column value google

The right query is

SELECT * FROM accounts WHERE URL="google"

Now you are asking give me all rows whose URL is equal to "google" string

In the first case your code fails saying I cant find a column named google

EDIT

Basically you should not directly string interpolate your variables that will lead to security issues

You can refer how to do prepared statement here

Java - escape string to prevent SQL injection

Kavin Eswaramoorthy
  • 1,595
  • 11
  • 19
  • 1
    Don’t do that! Read about SQL injection, then start using a PreparedStatement for this. – Axel Feb 13 '21 at 03:50
  • But please use bind variables, otherwise this is open to SQL injection. – Thilo Feb 13 '21 at 03:50
  • @Axel Updated the Answer with the warning, My bad I should have been careful with my answers – Kavin Eswaramoorthy Feb 13 '21 at 04:53
  • can someone please explain how to prevent sql injection in my code – Yahya Feb 13 '21 at 18:33
  • @Yahya: It's simple. Don't ever put together SQL queries from user input. Create a PreparedStatement and then set the parameter values using the setXXX-methods. See this [answer](https://stackoverflow.com/a/1582192/341291) to another question for an example of what could go wrong. Read more about PreparedStaement in this [article](https://www.baeldung.com/java-statement-preparedstatement) by Baeldung. – Axel Feb 15 '21 at 09:05
  • @k4vin Maybe you should edit your answer into an example explaining concatenating user input into SQL statements is dangerous and show how change OP's code into one that uses PreparedStatement instead to turn down- into upvotes. ;-) – Axel Feb 15 '21 at 09:08