Using “like” wildcard in prepared statement

138

I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.

For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?

Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.

PreparedStatement pstmt = con.prepareStatement(

      "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes);

ResultSet rs = pstmt.executeQuery();

java mysql jdbc prepared-statement

share|improve this question

edited Jan 21 '12 at 1:34

user806549

asked Nov 23 '11 at 19:28

ssnssn

91331322

add a comment | 

138

I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.

For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?

Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.

PreparedStatement pstmt = con.prepareStatement(

      "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes);

ResultSet rs = pstmt.executeQuery();

java mysql jdbc prepared-statement

share|improve this question

edited Jan 21 '12 at 1:34

user806549

asked Nov 23 '11 at 19:28

ssnssn

91331322

add a comment | 

138

138

138

22

I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.

For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?

Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.

PreparedStatement pstmt = con.prepareStatement(

      "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes);

ResultSet rs = pstmt.executeQuery();

java mysql jdbc prepared-statement

share|improve this question

edited Jan 21 '12 at 1:34

user806549

asked Nov 23 '11 at 19:28

ssnssn

91331322

I am using prepared statements to execute mysql database queries. And I want to implement a search functionality based on a keyword of sorts.

For that I need to use LIKE keyword, that much I know. And I have also used prepared statements before, but I do not know how to use it with LIKE because from the following code where would I add the 'keyword%'?

Can I directly use it in the pstmt.setString(1, notes) as (1, notes+"%") or something like that. I see a lot of posts on this on the web but no good answer anywhere.

PreparedStatement pstmt = con.prepareStatement(

      "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes);

ResultSet rs = pstmt.executeQuery();

java mysql jdbc prepared-statement

java mysql jdbc prepared-statement

share|improve this question

edited Jan 21 '12 at 1:34

user806549

asked Nov 23 '11 at 19:28

ssnssn

91331322

share|improve this question

edited Jan 21 '12 at 1:34

user806549

asked Nov 23 '11 at 19:28

ssnssn

91331322

share|improve this question

share|improve this question

edited Jan 21 '12 at 1:34

user806549

edited Jan 21 '12 at 1:34

user806549

edited Jan 21 '12 at 1:34

user806549

asked Nov 23 '11 at 19:28

ssnssn

91331322

asked Nov 23 '11 at 19:28

ssnssn

91331322

asked Nov 23 '11 at 19:28

ssnssn

91331322

91331322

add a comment | 

add a comment | 

5 Answers
5

active

oldest

votes

236

You need to set it in the value itself, not in the prepared statement SQL string.

So, this should do for a prefix-match:

notes = notes

    .replace("!", "!!")

    .replace("%", "!%")

    .replace("_", "!_")

    .replace("[", "![");

PreparedStatement pstmt = con.prepareStatement(

        "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");

pstmt.setString(1, notes + "%");

or a suffix-match:

pstmt.setString(1, "%" + notes);

or a global match:

pstmt.setString(1, "%" + notes + "%");

share|improve this answer

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.
  
  – pilcrow
  Nov 23 '11 at 19:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how do i do it with NON-CASE SENSITIVE mode? :)
  
  – Alpha Gabriel V. Timbol
  Aug 26 '15 at 13:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")
  
  – Zig
  Nov 20 '15 at 17:30
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.
  
  – BalusC
  Dec 23 '15 at 22:47
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.
  
  – Alain O'Dea
  Dec 24 '15 at 2:18
  

  
  
  
  

 | 
show 6 more comments

21

Code it like this:

PreparedStatement pstmt = con.prepareStatement(

    "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes + "%");`

Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.

pstmt.setString(1,"'%"+ notes + "%'");

share|improve this answer

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.
  
  – Markus W Mahlberg
  Mar 14 '15 at 14:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!
  
  – asgs
  Jun 14 '15 at 20:27
  

  
  
  
  

add a comment | 

4

PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");

ps.setString(1, name + '%');

Try this out.

share|improve this answer

answered Mar 10 '16 at 18:01

FaizFaiz

33525

add a comment | 

1

String fname = "Samu0025";



PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");



ps.setString(1, fname);

share|improve this answer

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer
  
  – Sketchy Coder
  Nov 15 '17 at 13:32
  

  
  
  
  

add a comment | 

-4

String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";





PreparedStatement preparedStatement=con.prepareStatement(query);





// where seleced and SelectedStr are String Variables in my program

share|improve this answer

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unsafe + anti-pattern; downvoted.
  
  – 6infinity8
  Oct 12 '18 at 22:12
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f8247970%2fusing-like-wildcard-in-prepared-statement%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

5 Answers
5

active

oldest

votes

5 Answers
5

active

oldest

votes

active

oldest

votes

active

oldest

votes

236

You need to set it in the value itself, not in the prepared statement SQL string.

So, this should do for a prefix-match:

notes = notes

    .replace("!", "!!")

    .replace("%", "!%")

    .replace("_", "!_")

    .replace("[", "![");

PreparedStatement pstmt = con.prepareStatement(

        "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");

pstmt.setString(1, notes + "%");

or a suffix-match:

pstmt.setString(1, "%" + notes);

or a global match:

pstmt.setString(1, "%" + notes + "%");

share|improve this answer

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.
  
  – pilcrow
  Nov 23 '11 at 19:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how do i do it with NON-CASE SENSITIVE mode? :)
  
  – Alpha Gabriel V. Timbol
  Aug 26 '15 at 13:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")
  
  – Zig
  Nov 20 '15 at 17:30
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.
  
  – BalusC
  Dec 23 '15 at 22:47
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.
  
  – Alain O'Dea
  Dec 24 '15 at 2:18
  

  
  
  
  

 | 
show 6 more comments

236

You need to set it in the value itself, not in the prepared statement SQL string.

So, this should do for a prefix-match:

notes = notes

    .replace("!", "!!")

    .replace("%", "!%")

    .replace("_", "!_")

    .replace("[", "![");

PreparedStatement pstmt = con.prepareStatement(

        "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");

pstmt.setString(1, notes + "%");

or a suffix-match:

pstmt.setString(1, "%" + notes);

or a global match:

pstmt.setString(1, "%" + notes + "%");

share|improve this answer

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.
  
  – pilcrow
  Nov 23 '11 at 19:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how do i do it with NON-CASE SENSITIVE mode? :)
  
  – Alpha Gabriel V. Timbol
  Aug 26 '15 at 13:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")
  
  – Zig
  Nov 20 '15 at 17:30
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.
  
  – BalusC
  Dec 23 '15 at 22:47
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.
  
  – Alain O'Dea
  Dec 24 '15 at 2:18
  

  
  
  
  

 | 
show 6 more comments

236

236

236

You need to set it in the value itself, not in the prepared statement SQL string.

So, this should do for a prefix-match:

notes = notes

    .replace("!", "!!")

    .replace("%", "!%")

    .replace("_", "!_")

    .replace("[", "![");

PreparedStatement pstmt = con.prepareStatement(

        "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");

pstmt.setString(1, notes + "%");

or a suffix-match:

pstmt.setString(1, "%" + notes);

or a global match:

pstmt.setString(1, "%" + notes + "%");

share|improve this answer

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

You need to set it in the value itself, not in the prepared statement SQL string.

So, this should do for a prefix-match:

notes = notes

    .replace("!", "!!")

    .replace("%", "!%")

    .replace("_", "!_")

    .replace("[", "![");

PreparedStatement pstmt = con.prepareStatement(

        "SELECT * FROM analysis WHERE notes LIKE ? ESCAPE '!'");

pstmt.setString(1, notes + "%");

or a suffix-match:

pstmt.setString(1, "%" + notes);

or a global match:

pstmt.setString(1, "%" + notes + "%");

share|improve this answer

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

share|improve this answer

share|improve this answer

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

edited Dec 23 '15 at 22:23

Alain O'Dea

14.1k13454

14.1k13454

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

answered Nov 23 '11 at 19:35

BalusCBalusC

844k29731273207

844k29731273207

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.
  
  – pilcrow
  Nov 23 '11 at 19:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how do i do it with NON-CASE SENSITIVE mode? :)
  
  – Alpha Gabriel V. Timbol
  Aug 26 '15 at 13:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")
  
  – Zig
  Nov 20 '15 at 17:30
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.
  
  – BalusC
  Dec 23 '15 at 22:47
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.
  
  – Alain O'Dea
  Dec 24 '15 at 2:18
  

  
  
  
  

 | 
show 6 more comments

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  +1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.
  
  – pilcrow
  Nov 23 '11 at 19:42
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how do i do it with NON-CASE SENSITIVE mode? :)
  
  – Alpha Gabriel V. Timbol
  Aug 26 '15 at 13:52
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")
  
  – Zig
  Nov 20 '15 at 17:30
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.
  
  – BalusC
  Dec 23 '15 at 22:47
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  @BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.
  
  – Alain O'Dea
  Dec 24 '15 at 2:18
  

  
  
  
  

15

15

+1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

– pilcrow
Nov 23 '11 at 19:42

+1 The OP could "set" it in the SQL — as by ... LIKE '%' || ? || '%' or similar — but that's much less flexible.

– pilcrow
Nov 23 '11 at 19:42

how do i do it with NON-CASE SENSITIVE mode? :)

– Alpha Gabriel V. Timbol
Aug 26 '15 at 13:52

how do i do it with NON-CASE SENSITIVE mode? :)

– Alpha Gabriel V. Timbol
Aug 26 '15 at 13:52

1

1

Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

– Zig
Nov 20 '15 at 17:30

Non-case-sensitive can still use WHERE UPPER(?) LIKE UPPER(?) when using pstmt.setString(2, "%" + notes + "%")

– Zig
Nov 20 '15 at 17:30

1

1

@Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

– BalusC
Dec 23 '15 at 22:47

@Alain: Thank you. Just wondering, does this apply to all RDBMS the world is aware of? Perhaps '%' || ? || '%' as mentioned in 1st comment was better, after all? I don't have the opportunity to experiment right now.

– BalusC
Dec 23 '15 at 22:47

2

2

@BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

– Alain O'Dea
Dec 24 '15 at 2:18

@BalusC this applies to MSSQL, Postgres, and MySQL in my testing. The String being made into a parameter is itself interpreted as a mix of data and control instructions. SQL concatenation occurs before it is interpreted and preserves the vulnerability. The IEEE Center for Secure Design says to Strictly Separate Data and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources.

– Alain O'Dea
Dec 24 '15 at 2:18

 | 
show 6 more comments

21

Code it like this:

PreparedStatement pstmt = con.prepareStatement(

    "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes + "%");`

Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.

pstmt.setString(1,"'%"+ notes + "%'");

share|improve this answer

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.
  
  – Markus W Mahlberg
  Mar 14 '15 at 14:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!
  
  – asgs
  Jun 14 '15 at 20:27
  

  
  
  
  

add a comment | 

21

Code it like this:

PreparedStatement pstmt = con.prepareStatement(

    "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes + "%");`

Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.

pstmt.setString(1,"'%"+ notes + "%'");

share|improve this answer

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.
  
  – Markus W Mahlberg
  Mar 14 '15 at 14:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!
  
  – asgs
  Jun 14 '15 at 20:27
  

  
  
  
  

add a comment | 

21

21

21

Code it like this:

PreparedStatement pstmt = con.prepareStatement(

    "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes + "%");`

Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.

pstmt.setString(1,"'%"+ notes + "%'");

share|improve this answer

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

Code it like this:

PreparedStatement pstmt = con.prepareStatement(

    "SELECT * FROM analysis WHERE notes like ?");

pstmt.setString(1, notes + "%");`

Make sure that you DO NOT include the quotes ' ' like below as they will cause an exception.

pstmt.setString(1,"'%"+ notes + "%'");

share|improve this answer

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

share|improve this answer

share|improve this answer

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

edited Sep 5 '17 at 12:36

Vlad Schnakovszki

5,01934891

5,01934891

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

answered Mar 14 '15 at 13:24

The Wedding WolfThe Wedding Wolf

22722

22722

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.
  
  – Markus W Mahlberg
  Mar 14 '15 at 14:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!
  
  – asgs
  Jun 14 '15 at 20:27
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.
  
  – Markus W Mahlberg
  Mar 14 '15 at 14:01
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!
  
  – asgs
  Jun 14 '15 at 20:27
  

  
  
  
  

3

3

Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

– Markus W Mahlberg
Mar 14 '15 at 14:01

Thanks for your answer. You might want to read How do I write a good answer? to maximize the potential of your answers. Correct grammar and spelling as well as a thought out structure helps people to read and understand your intention.

– Markus W Mahlberg
Mar 14 '15 at 14:01

1

1

Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

– asgs
Jun 14 '15 at 20:27

Though it sounds like someone won't run into this assumption, it's actually very valid especially when working with Oracle. Thanks for pointing out!

– asgs
Jun 14 '15 at 20:27

add a comment | 

4

PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");

ps.setString(1, name + '%');

Try this out.

share|improve this answer

answered Mar 10 '16 at 18:01

FaizFaiz

33525

add a comment | 

4

PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");

ps.setString(1, name + '%');

Try this out.

share|improve this answer

answered Mar 10 '16 at 18:01

FaizFaiz

33525

add a comment | 

4

4

4

PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");

ps.setString(1, name + '%');

Try this out.

share|improve this answer

answered Mar 10 '16 at 18:01

FaizFaiz

33525

PreparedStatement ps = cn.prepareStatement("Select * from Users where User_FirstName LIKE ?");

ps.setString(1, name + '%');

Try this out.

share|improve this answer

answered Mar 10 '16 at 18:01

FaizFaiz

33525

share|improve this answer

share|improve this answer

answered Mar 10 '16 at 18:01

FaizFaiz

33525

answered Mar 10 '16 at 18:01

FaizFaiz

33525

answered Mar 10 '16 at 18:01

FaizFaiz

33525

33525

add a comment | 

add a comment | 

1

String fname = "Samu0025";



PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");



ps.setString(1, fname);

share|improve this answer

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer
  
  – Sketchy Coder
  Nov 15 '17 at 13:32
  

  
  
  
  

add a comment | 

1

String fname = "Samu0025";



PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");



ps.setString(1, fname);

share|improve this answer

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer
  
  – Sketchy Coder
  Nov 15 '17 at 13:32
  

  
  
  
  

add a comment | 

1

1

1

String fname = "Samu0025";



PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");



ps.setString(1, fname);

share|improve this answer

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

String fname = "Samu0025";



PreparedStatement ps= conn.prepareStatement("SELECT * FROM Users WHERE User_FirstName LIKE ? ");



ps.setString(1, fname);

share|improve this answer

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

share|improve this answer

share|improve this answer

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

edited Jun 13 '18 at 16:15

Young Emil

1,43511124

1,43511124

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

answered Nov 15 '17 at 13:27

Ram KumarRam Kumar

111

111

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer
  
  – Sketchy Coder
  Nov 15 '17 at 13:32
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer
  
  – Sketchy Coder
  Nov 15 '17 at 13:32
  

  
  
  
  

2

2

Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

– Sketchy Coder
Nov 15 '17 at 13:32

Could you elaborate the answer rather than just giving the answer? See: stackoverflow.com/help/how-to-answer

– Sketchy Coder
Nov 15 '17 at 13:32

add a comment | 

-4

String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";





PreparedStatement preparedStatement=con.prepareStatement(query);





// where seleced and SelectedStr are String Variables in my program

share|improve this answer

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unsafe + anti-pattern; downvoted.
  
  – 6infinity8
  Oct 12 '18 at 22:12
  

  
  
  
  

add a comment | 

-4

String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";





PreparedStatement preparedStatement=con.prepareStatement(query);





// where seleced and SelectedStr are String Variables in my program

share|improve this answer

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unsafe + anti-pattern; downvoted.
  
  – 6infinity8
  Oct 12 '18 at 22:12
  

  
  
  
  

add a comment | 

-4

-4

-4

String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";





PreparedStatement preparedStatement=con.prepareStatement(query);





// where seleced and SelectedStr are String Variables in my program

share|improve this answer

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

String query="select * from test1 where "+selected+" like '%"+SelectedStr+"%';";





PreparedStatement preparedStatement=con.prepareStatement(query);





// where seleced and SelectedStr are String Variables in my program

share|improve this answer

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

share|improve this answer

share|improve this answer

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

edited Oct 5 '18 at 3:08

Jayendran

3,23131336

3,23131336

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

answered Oct 5 '18 at 0:33

mahesh dhotemahesh dhote

1

1

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unsafe + anti-pattern; downvoted.
  
  – 6infinity8
  Oct 12 '18 at 22:12
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Unsafe + anti-pattern; downvoted.
  
  – 6infinity8
  Oct 12 '18 at 22:12
  

  
  
  
  

Unsafe + anti-pattern; downvoted.

– 6infinity8
Oct 12 '18 at 22:12

Unsafe + anti-pattern; downvoted.

– 6infinity8
Oct 12 '18 at 22:12

add a comment | 

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

• Please be sure to answer the question. Provide details and share your research!

But avoid …

• Asking for help, clarification, or responding to other answers.


• Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f8247970%2fusing-like-wildcard-in-prepared-statement%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Name

Name

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

Email

Required, but never shown

This page is only for reference, If you need detailed information, please check here