current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I have two column username and password in USERS Table. How can I get the value in username and password and compare it with another value in the program.

This is what I got. But, eclipse gives me an error:

String sql = "SELECT username, password FROM USERS WHERE username = ?";

ERROR:

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1

share|improve this question
5  
Do not store passwords in plain text –  SLaks Jan 30 '13 at 2:04
 
How do I get them more secure in the database? –  AppSensei Jan 30 '13 at 2:05
1  
im guessing that you need to put single quotes before and after the ?. like this "SELECT username, password FROM USERS WHERE username = '?' " –  Weddy Jan 30 '13 at 2:06
1  
Use a salt and hash to get them more secure. That's one way, at least. For the original question, can we see the code that is calling the SQL statement? –  mrunion Jan 30 '13 at 2:06
1  
Even better, use hashing. –  FreshPrinceOfSO Jan 30 '13 at 2:14
show 3 more comments

1 Answer

up vote 3 down vote accepted

You should either prepare you sql statement and bind a parameter ? or construct sql with actual value of username before executing query.

The former is the way to go to avoid sql-injection.

share|improve this answer
 
(But really, the former.) –  user166390 Jan 30 '13 at 2:22
 
Exactly. Added to the answer. Thanks. –  peterm Jan 30 '13 at 2:30
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.