Using “like” wildcard in prepared statement












141















I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.



For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?



Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.



PreparedStatement pstmt = con.prepareStatement(
"SELECT * FROM analysis WHERE notes like ?");
pstmt.setString(1, notes);
ResultSet rs = pstmt.executeQuery();









share|improve this question





























    141















    I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.



    For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?



    Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.



    PreparedStatement pstmt = con.prepareStatement(
    "SELECT * FROM analysis WHERE notes like ?");
    pstmt.setString(1, notes);
    ResultSet rs = pstmt.executeQuery();









    share|improve this question



























      141












      141








      141


      22






      I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.



      For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?



      Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.



      PreparedStatement pstmt = con.prepareStatement(
      "SELECT * FROM analysis WHERE notes like ?");
      pstmt.setString(1, notes);
      ResultSet rs = pstmt.executeQuery();









      share|improve this question
















      I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.



      For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?



      Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.



      PreparedStatement pstmt = con.prepareStatement(
      "SELECT * FROM analysis WHERE notes like ?");
      pstmt.setString(1, notes);
      ResultSet rs = pstmt.executeQuery();






      java mysql jdbc prepared-statement






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 21 '12 at 1:34







      user806549

















      asked Nov 23 '11 at 19:28









      ssnssn

      93331322




      93331322
























          5 Answers
          5






          active

          oldest

          votes


















          238














          You need to set it in the value itself, not in the prepared statement SQL string.



          So, this should do for a prefix-match:



          notes = notes
          .replace("!", "!!")
          .replace("%", "!%")
          .replace("_", "!_")
          .replace("[", "![");
          PreparedStatement pstmt = con.prepareStatement(
          "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");
          pstmt.setString(1, notes + "%");


          or a suffix-match:



          pstmt.setString(1, "%" + notes);


          or a global match:



          pstmt.setString(1, "%" + notes + "%");





          share|improve this answer





















          • 16





            +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

            – pilcrow
            Nov 23 '11 at 19:42











          • how do i do it with NON-CASE SENSITIVE mode? :)

            – Alpha Gabriel V. Timbol
            Aug 26 '15 at 13:52






          • 1





            Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

            – Zig
            Nov 20 '15 at 17:30








          • 1





            @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

            – BalusC
            Dec 23 '15 at 22:47








          • 2





            @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

            – Alain O'Dea
            Dec 24 '15 at 2:18



















          22














          Code it like this:



          PreparedStatement pstmt = con.prepareStatement(
          "SELECT * FROM analysis WHERE notes like ?");
          pstmt.setString(1, notes + "%");`


          Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.



          pstmt.setString(1,"'%"+ notes + "%'");





          share|improve this answer





















          • 3





            Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

            – Markus W Mahlberg
            Mar 14 '15 at 14:01






          • 1





            Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

            – asgs
            Jun 14 '15 at 20:27



















          4














          PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");
          ps.setString(1, name + '%');


          Try this out.






          share|improve this answer































            1














            String fname = "Samu0025";

            PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");

            ps.setString(1, fname);





            share|improve this answer





















            • 2





              Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

              – Sketchy Coder
              Nov 15 '17 at 13:32



















            -4














            String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";


            PreparedStatement preparedStatement=con.prepareStatement(query);


            // where seleced and SelectedStr are String Variables in my program





            share|improve this answer


























            • Unsafe + anti-pattern; downvoted.

              – 6infinity8
              Oct 12 '18 at 22:12











            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f8247970%2fusing-like-wildcard-in-prepared-statement%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            5 Answers
            5






            active

            oldest

            votes








            5 Answers
            5






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            238














            You need to set it in the value itself, not in the prepared statement SQL string.



            So, this should do for a prefix-match:



            notes = notes
            .replace("!", "!!")
            .replace("%", "!%")
            .replace("_", "!_")
            .replace("[", "![");
            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");
            pstmt.setString(1, notes + "%");


            or a suffix-match:



            pstmt.setString(1, "%" + notes);


            or a global match:



            pstmt.setString(1, "%" + notes + "%");





            share|improve this answer





















            • 16





              +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

              – pilcrow
              Nov 23 '11 at 19:42











            • how do i do it with NON-CASE SENSITIVE mode? :)

              – Alpha Gabriel V. Timbol
              Aug 26 '15 at 13:52






            • 1





              Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

              – Zig
              Nov 20 '15 at 17:30








            • 1





              @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

              – BalusC
              Dec 23 '15 at 22:47








            • 2





              @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

              – Alain O'Dea
              Dec 24 '15 at 2:18
















            238














            You need to set it in the value itself, not in the prepared statement SQL string.



            So, this should do for a prefix-match:



            notes = notes
            .replace("!", "!!")
            .replace("%", "!%")
            .replace("_", "!_")
            .replace("[", "![");
            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");
            pstmt.setString(1, notes + "%");


            or a suffix-match:



            pstmt.setString(1, "%" + notes);


            or a global match:



            pstmt.setString(1, "%" + notes + "%");





            share|improve this answer





















            • 16





              +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

              – pilcrow
              Nov 23 '11 at 19:42











            • how do i do it with NON-CASE SENSITIVE mode? :)

              – Alpha Gabriel V. Timbol
              Aug 26 '15 at 13:52






            • 1





              Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

              – Zig
              Nov 20 '15 at 17:30








            • 1





              @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

              – BalusC
              Dec 23 '15 at 22:47








            • 2





              @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

              – Alain O'Dea
              Dec 24 '15 at 2:18














            238












            238








            238







            You need to set it in the value itself, not in the prepared statement SQL string.



            So, this should do for a prefix-match:



            notes = notes
            .replace("!", "!!")
            .replace("%", "!%")
            .replace("_", "!_")
            .replace("[", "![");
            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");
            pstmt.setString(1, notes + "%");


            or a suffix-match:



            pstmt.setString(1, "%" + notes);


            or a global match:



            pstmt.setString(1, "%" + notes + "%");





            share|improve this answer















            You need to set it in the value itself, not in the prepared statement SQL string.



            So, this should do for a prefix-match:



            notes = notes
            .replace("!", "!!")
            .replace("%", "!%")
            .replace("_", "!_")
            .replace("[", "![");
            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");
            pstmt.setString(1, notes + "%");


            or a suffix-match:



            pstmt.setString(1, "%" + notes);


            or a global match:



            pstmt.setString(1, "%" + notes + "%");






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 23 '15 at 22:23









            Alain O'Dea

            14.2k13455




            14.2k13455










            answered Nov 23 '11 at 19:35









            BalusCBalusC

            848k29831443217




            848k29831443217








            • 16





              +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

              – pilcrow
              Nov 23 '11 at 19:42











            • how do i do it with NON-CASE SENSITIVE mode? :)

              – Alpha Gabriel V. Timbol
              Aug 26 '15 at 13:52






            • 1





              Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

              – Zig
              Nov 20 '15 at 17:30








            • 1





              @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

              – BalusC
              Dec 23 '15 at 22:47








            • 2





              @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

              – Alain O'Dea
              Dec 24 '15 at 2:18














            • 16





              +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

              – pilcrow
              Nov 23 '11 at 19:42











            • how do i do it with NON-CASE SENSITIVE mode? :)

              – Alpha Gabriel V. Timbol
              Aug 26 '15 at 13:52






            • 1





              Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

              – Zig
              Nov 20 '15 at 17:30








            • 1





              @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

              – BalusC
              Dec 23 '15 at 22:47








            • 2





              @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

              – Alain O'Dea
              Dec 24 '15 at 2:18








            16




            16





            +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

            – pilcrow
            Nov 23 '11 at 19:42





            +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

            – pilcrow
            Nov 23 '11 at 19:42













            how do i do it with NON-CASE SENSITIVE mode? :)

            – Alpha Gabriel V. Timbol
            Aug 26 '15 at 13:52





            how do i do it with NON-CASE SENSITIVE mode? :)

            – Alpha Gabriel V. Timbol
            Aug 26 '15 at 13:52




            1




            1





            Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

            – Zig
            Nov 20 '15 at 17:30







            Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

            – Zig
            Nov 20 '15 at 17:30






            1




            1





            @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

            – BalusC
            Dec 23 '15 at 22:47







            @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

            – BalusC
            Dec 23 '15 at 22:47






            2




            2





            @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

            – Alain O'Dea
            Dec 24 '15 at 2:18





            @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

            – Alain O'Dea
            Dec 24 '15 at 2:18













            22














            Code it like this:



            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes like ?");
            pstmt.setString(1, notes + "%");`


            Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.



            pstmt.setString(1,"'%"+ notes + "%'");





            share|improve this answer





















            • 3





              Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

              – Markus W Mahlberg
              Mar 14 '15 at 14:01






            • 1





              Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

              – asgs
              Jun 14 '15 at 20:27
















            22














            Code it like this:



            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes like ?");
            pstmt.setString(1, notes + "%");`


            Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.



            pstmt.setString(1,"'%"+ notes + "%'");





            share|improve this answer





















            • 3





              Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

              – Markus W Mahlberg
              Mar 14 '15 at 14:01






            • 1





              Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

              – asgs
              Jun 14 '15 at 20:27














            22












            22








            22







            Code it like this:



            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes like ?");
            pstmt.setString(1, notes + "%");`


            Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.



            pstmt.setString(1,"'%"+ notes + "%'");





            share|improve this answer















            Code it like this:



            PreparedStatement pstmt = con.prepareStatement(
            "SELECT * FROM analysis WHERE notes like ?");
            pstmt.setString(1, notes + "%");`


            Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.



            pstmt.setString(1,"'%"+ notes + "%'");






            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Sep 5 '17 at 12:36









            Vlad Schnakovszki

            5,08434992




            5,08434992










            answered Mar 14 '15 at 13:24









            The Wedding WolfThe Wedding Wolf

            23722




            23722








            • 3





              Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

              – Markus W Mahlberg
              Mar 14 '15 at 14:01






            • 1





              Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

              – asgs
              Jun 14 '15 at 20:27














            • 3





              Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

              – Markus W Mahlberg
              Mar 14 '15 at 14:01






            • 1





              Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

              – asgs
              Jun 14 '15 at 20:27








            3




            3





            Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

            – Markus W Mahlberg
            Mar 14 '15 at 14:01





            Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

            – Markus W Mahlberg
            Mar 14 '15 at 14:01




            1




            1





            Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

            – asgs
            Jun 14 '15 at 20:27





            Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

            – asgs
            Jun 14 '15 at 20:27











            4














            PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");
            ps.setString(1, name + '%');


            Try this out.






            share|improve this answer




























              4














              PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");
              ps.setString(1, name + '%');


              Try this out.






              share|improve this answer


























                4












                4








                4







                PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");
                ps.setString(1, name + '%');


                Try this out.






                share|improve this answer













                PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");
                ps.setString(1, name + '%');


                Try this out.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 10 '16 at 18:01









                FaizFaiz

                33525




                33525























                    1














                    String fname = "Samu0025";

                    PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");

                    ps.setString(1, fname);





                    share|improve this answer





















                    • 2





                      Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

                      – Sketchy Coder
                      Nov 15 '17 at 13:32
















                    1














                    String fname = "Samu0025";

                    PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");

                    ps.setString(1, fname);





                    share|improve this answer





















                    • 2





                      Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

                      – Sketchy Coder
                      Nov 15 '17 at 13:32














                    1












                    1








                    1







                    String fname = "Samu0025";

                    PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");

                    ps.setString(1, fname);





                    share|improve this answer















                    String fname = "Samu0025";

                    PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");

                    ps.setString(1, fname);






                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Jun 13 '18 at 16:15









                    Young Emil

                    1,46011124




                    1,46011124










                    answered Nov 15 '17 at 13:27









                    Ram KumarRam Kumar

                    111




                    111








                    • 2





                      Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

                      – Sketchy Coder
                      Nov 15 '17 at 13:32














                    • 2





                      Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

                      – Sketchy Coder
                      Nov 15 '17 at 13:32








                    2




                    2





                    Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

                    – Sketchy Coder
                    Nov 15 '17 at 13:32





                    Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

                    – Sketchy Coder
                    Nov 15 '17 at 13:32











                    -4














                    String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";


                    PreparedStatement preparedStatement=con.prepareStatement(query);


                    // where seleced and SelectedStr are String Variables in my program





                    share|improve this answer


























                    • Unsafe + anti-pattern; downvoted.

                      – 6infinity8
                      Oct 12 '18 at 22:12
















                    -4














                    String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";


                    PreparedStatement preparedStatement=con.prepareStatement(query);


                    // where seleced and SelectedStr are String Variables in my program





                    share|improve this answer


























                    • Unsafe + anti-pattern; downvoted.

                      – 6infinity8
                      Oct 12 '18 at 22:12














                    -4












                    -4








                    -4







                    String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";


                    PreparedStatement preparedStatement=con.prepareStatement(query);


                    // where seleced and SelectedStr are String Variables in my program





                    share|improve this answer















                    String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";


                    PreparedStatement preparedStatement=con.prepareStatement(query);


                    // where seleced and SelectedStr are String Variables in my program






                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Oct 5 '18 at 3:08









                    Jayendran

                    3,34331337




                    3,34331337










                    answered Oct 5 '18 at 0:33









                    mahesh dhotemahesh dhote

                    1




                    1













                    • Unsafe + anti-pattern; downvoted.

                      – 6infinity8
                      Oct 12 '18 at 22:12



















                    • Unsafe + anti-pattern; downvoted.

                      – 6infinity8
                      Oct 12 '18 at 22:12

















                    Unsafe + anti-pattern; downvoted.

                    – 6infinity8
                    Oct 12 '18 at 22:12





                    Unsafe + anti-pattern; downvoted.

                    – 6infinity8
                    Oct 12 '18 at 22:12


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f8247970%2fusing-like-wildcard-in-prepared-statement%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    How to change which sound is reproduced for terminal bell?

                    Can I use Tabulator js library in my java Spring + Thymeleaf project?

                    Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents