sql syntax in java with string [duplicate]

Question

I have this query( the parameters of the query are given by input: both table and name and password are string given by text field.

//...
ResultSet rs = st.executeQuery("select * " + 
                               "from `"+ table + "` " +
                               "where Name='" + name + "' " + 
                               "  and Password='" + password + "'");

and after this i don't understand why i can't enter in this if:

else if (table=="products"){
    // ...
} 

and therefore I can not go along with the program

Answer 1

The == operator compares hash values of the two objects. Only if they both have the same hash value will it return true. Always use the str1.equals(str2) method to compare Strings.

Also using prepared statements will help prevent SQL injection, a dangerous form of hacking. See here for an example of why this is dangerous.

Answer 2

your ans:

 you need to use String.equals

Suggestion:

 please use PREPARED STATEMENT. Simple statement is not secured as well as for other reason its not good to use.

Answer 3

When you do if(table == "products"), Java will do a deep comparison of the two strings and since the two string objects are different (even though they have the same text), the code section will not execute as the condition evaluates to false. You could try table.equals("products"). This will just compare the text of the two strings.