1
String username="abc";
String pwd="abc";

String query="Select username,pwd where username = ? and pwd = ?";

I want to replace character '?' in this string by different values with username and pwd specifed..Is there any function by which we can find '?' which is there two times and replace it with username and pwd?

Graham Borland
  • 60,055
  • 21
  • 138
  • 179
Mayur Patel
  • 189
  • 1
  • 6
  • 18
  • 2
    Is this to send something to a database? If so, you *shouldn't* be performing the replacement yourself. Please provide more context - it's entirely possible that the approach you're trying to take is a really bad idea. – Jon Skeet Oct 07 '11 at 09:03
  • 1
    Is this intented to be an SQL query?May be you should consider using `PreparedStatement` – Cratylus Oct 07 '11 at 09:03

5 Answers5

4

Sure, have a look at String.replaceFirst for instance:

String query = "Select username,pwd where username = ? and pwd = ?"
                       .replaceFirst("\\?", username)
                       .replaceFirst("\\?", pwd)

Keep in mind though, that you probably want to properly escape username and pwd.

Consider for instance what happens if I provide something like

 or 1=1

as password.

For more information on this, have a look at the various answers to:

If possible, use PreparedStatements!

Community
  • 1
  • 1
aioobe
  • 413,195
  • 112
  • 811
  • 826
  • I dont want to use preparestmt becoz i dont hv control on DB..there is one doubt in this If there will be more parameters like address,emailId then will this work?...is this a dynamic way for replace this?..thanks a lot for giving me prompt reply – Mayur Patel Oct 07 '11 at 09:21
  • Sure, it will work. Try it out. (But as I said, be sure to escape special characters one way or another :-) – aioobe Oct 07 '11 at 09:21
  • great..if u can tell more on that..to escape special characters in the same example it will give me a more idea.. – Mayur Patel Oct 07 '11 at 09:23
  • Added a link to my answer. (I'd rather not elaborate on that here, since it's fairly off-topic to the title of your question :-) – aioobe Oct 07 '11 at 09:29
  • its ok..i will follow that link..it will be helpful me..thanka a lot aioobe..I appreciate your help in this..its solved just within few mins..thanks again – Mayur Patel Oct 07 '11 at 09:33
1

You should look into String replaceFirst(String regex, String replacement).

Buhake Sindi
  • 87,898
  • 29
  • 167
  • 228
Tobias
  • 9,170
  • 3
  • 24
  • 30
1

You could do:

String username="abc"; 
String pwd="abc";

String query="Select username,pwd where username = ? and pwd = ?";
query = query.replaceFirst("\\?", username);
query = query.replaceFirst("\\?", pwd);

but if you are doing this for an actual db-query you will want to use prepared statements: eg.

String username="abc"; 
String pwd="abc";

String query="Select username,pwd where username = ? and pwd = ?";
PreparedStatement pStmt = con.prepareStatement(query);
pStmt.setParameter(1, username);
pStmt.setParameter(2, pwd);

ResultSet rs = pStmt.executeQuery();
Matt Fellows
  • 6,512
  • 4
  • 35
  • 57
0

OT regarding String replacement, but If you are planning to use SQL with JDBC have a look at PreparedStatement that does this for you and prevents SQL injection. http://download.oracle.com/javase/6/docs/api/java/sql/PreparedStatement.html

Gandalf
  • 2,350
  • 20
  • 28
0

you ca use string.format for this scenario i.e

query = String.format(query,username,pwd);

use %s instead of ?

Nirmal- thInk beYond
  • 11,847
  • 8
  • 35
  • 46