Sql Query LIKE not working - mysql

Hi i have trying to do a query, that receives the value on a querystring, but is not working i think the query it self is no good. could you help me?
So i receive the query on
<%String detalhe = request.getParameter("value");%>
I wont put connections and stuff, because they work with other querys, so the problem are not the connections.
// sql query to retrieve values from the specified table.
String QueryString = "SELECT * FROM ebooko.dadoslivros WHERE Autor LIKE '%"+detalhe+"%'
OR ano LIKE '%"+detalhe+"%'";;
rs = statement.executeQuery(QueryString);
It simply cannot retrive the value, i'm querying.
Adicional info:
Table: dadoslivros
Columns that i need to compare the value: Autor, ano.
for example when i run the Href the value that is passed is: Jules%Verne (i gess it changes SPACES with '%'.

Use URLDecoder#decode() to decode the parameters in the query string.
You should also consider using a PreparedStatement to prevent SQL injection attacks.

I solved it changing the query:
String QueryString = "SELECT * FROM dadoslivros WHERE (Data LIKE '%"+detalhe+"%') OR (Autor LIKE '%"+detalhe+"%')";;
maybe it can help another person ;)

Related

where condition is not recognizing my full String

I am using spring and hibernate in my project. This is My Query. When I execute this query I am getting data from DB. But if I frame the query like this I am getting 0 records.
String fullname1 = "this is my String";
select name,gender from account where fullname='fullname1';
If I create query like this I am getting data. But fullname1 is not a static data.
select name,gender from account where fullname like '%this%';
Problem is if my fullname1 is have only one word then I am getting proper data. If it has multiple words I am not getting data.
Can any one suggest me how to frame query in this situation.
Try to concatenate your string to search like this
select name,gender from account where fullname like '%' + yourVariable + '%';
Assuming yourVariable is containing the string which you want to search.
EDIT:
As confirmed by OP in comments the query which worked for him/her is:
select name,gender from account where fullname='" + fullname1+ "'";
Also your query is prone to SQL Injection. So it is better to use Prepared statement.

How to query database if we need to query with an array of id's in jsp?

After selecting some products a user clicked on proceed button. Now I need to display the selected data on next page. I was successful in getting the id's of selected data using the following code.
String[] array = request.getParameterValues("arrayid");
Now I need to query mysql database using "select * from table where id=?"
I can use this query in a loop. But is there any other or a better way to do this?
Use IN keyword while selecting as select * from table where id IN(comma separated ids)
String[] array = request.getParameterValues("arrayid");
String sql = "SELECT * FROM TABLENAME WHERE id IN ?";
PreparedStatement ps = con.prepareStatement(sql);
ps.setArray(1,con.createArrayOf("CHAR", array));
If your question is how to query for a set of IDs in a table, the other answers correctly refer you to SQL's IN keyword. However if you're asking specifically how to do it in Java, JDBC's PreparedStatement, which is the generally recommended way of executing queries in Java, does not make constructing these IN statements easy. I posted a suggested way to address this issue reasonably cleanly here: Can PreparedStatement.addBatch() be used for SELECT queries?

Inability to retrieve unicode resultset

I have been able to successfully insert unicode values into my database but am not able to retrieve them through a java resultset. The same query fetches data from the mysql query browser. The sql reads thus:
SELECT book_name FROM book_resource_user_view WHERE MATCH(book_name) AGAINST ('तेरा मुझसे है पेहला का नाता कोई') limit 25
Before attempting the select statement, I did this:
String query = "set names utf8";
state.executeUpdate(query);
Still no success? Any suggestions?
I seemed to have found the answer. I had modified the keyword variable using
keyword = new String(keyword.getBytes("ISO-8859-1"), "UTF-8");
After I commented that statement and used the keyword variable directly from the form, it seems to work.

Search returns no rows in mysql query using LIKE and values having "\"

I have some problem regarding the search in mysql.
Below is my query.
SELECT * FROM table WHERE name LIKE "%admin\'s%";
When i am executing this query it will return zero data.
actually i have "admin\'s" stored in db. this "\" is to prevent sql injection. i have used mysql_real_escape_string to prevent the sql injection.
but when i use three times addslashes to my variable it works.
So my below query is working.
SELECT * FROM table WHERE name LIKE "%admin\\\\\\\'s%";
My above query will return the data with name like admin's.
I am not getting where i am wrong.
well for one you shouldnt have data like this in your DB admin\'s .. most likely you double escaped your string ( check if you don't have magic_quotes enabled on your server ).
If you only do
INSERT ... username = "admin\'s";
you will have in your db the username value admin's
so my recomandation would be to go ahead and remove the slashes from your database and then your first query should work.

JDBC prepareStatement doesn't work

I'm trying to use the prepareStatement function. The code is below. After it executes, it returns me a bunch of vlicense strings instead of the values.
When the code finishing the statement.setString(), the statement becomes:
select 'vlicense' from Vehicle
However, it needs to be:
select vlicense from Vehicle
without the quotation marks. Can anyone tell me what's the problem?
statement = oConnection.prepareStatement("select ? from Vehicle");
String tempString = "vlicense";
statement.setString(1, tempString);
resultSet = statement.executeQuery();
You can't use parameter markers for column names, table names, data type names, or basically anything that isn't data.
When you add a bind variable to a statement like this it is escaped, so that actual SQL string in your example would go to the database as "SELECT 'vlicense' FROM Vehicle', selecting a literal string instead of the column name you want.
You need to concatenate that variable column name into your SQL statement before you prepare it:
statement = oConnection.prepareStatement("SELECT " + vlicense + " FROM Vehicle");
Bind variables are really for query parameters as opposed to dynamic queries.
The ? can't be used to specify the fields, just to do some filters in your query like:
statement = conn.prepareStatement("select field from Vehicle where name=?");
In your case your query is built as:
select 'vlicense' from Vehicle
which means: GET ME A STRING 'vlicense' FOR EACH RECORD OF 'Vehicle'. And you'll get n repeated strings depending on the number of records in your table
It has nothing to do with jdbc, prepared-statements or mysql.
It's just a wrong sql statement.
If you type:
Select 'justanexample' from Vehicle
and the table contains 4 lines, you will get 4 times
'justanexample'
'justanexample'
'justanexample'
'justanexample'
as result.
You did not specify your the table structure, but I guess the
statement should somehow look like this:
select * from Vehicle where license = ?