0

I want to query a database using an arraylist value. It should return a value from the database the same as one of my arraylist element if it exists. I am trying something like this, but it is not working

ArrayList<String>  list  =  new ArrayList<String>();
list.add("boy");
list.add("girl");
Class.forName("com.mysql.jdbc.Driver");
Connection con = DriverManager.getConnection("url", "root", "");
Statement st = con.createStatement();
ResultSet rs = st.executeQuery("Select * from table where keyword= (list)");
Improve this question
1
  • For multiple values in the where clause see: w3schools.com/sql/sql_in.asp. In your case "select * from table where keyword in ('boy', 'girl');" Commented May 18, 2013 at 11:05

4 Answers 4

Reset to default
1

You could try something like this:

  ArrayList<String>  list  =  new ArrayList<String>();
  list.add("boy");
  list.add("girl");
  Class.forName("com.mysql.jdbc.Driver");
  Connection con = DriverManager.getConnection("url", "root", "");
  Statement st = con.createStatement();
  StringBuilder sb = new StringBuilder("Select * from table where keyword IN (");
  boolean added = false;
  for(String s:list){
    if (added){
      sb.append(",");
    }      
    sb.append("'");
    sb.append(s);
    sb.append("'");
    added = true;
  }
  sb.append(")");
  ResultSet rs = st.executeQuery(sb.toString());
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

This can be solved using the in key word.

String query = "SELECT * FROM table WHERE keyword in (";

for(String s : list)
{
    query += "'" + list + "',";
}

query += ")";

SQL Injection

You should probably escape the list entry in order to be save against SQL injection attacks. –

Improve this answer

1 Comment

You should probably escape the list entry in order to be save against SQL injection attacks.
0

First of all the query you are forming is not correct. You should be using IN clause, something like:

ResultSet rs = st.executeQuery("Select * from table where keyword IN (*comma-separated-value-from-list*)");

The only thing that is more required is converting the list into comma-separated-values, you can do something like:

String[] val = list.toArray(new String[list.size()]);
StringBuilder csvStr = new StringBuilder();
for(int i=0;i<val.length;i++){
    if (val.length > 1 && i !=0) {
        csvStr.append(",");
    }
    csvStr.append ("'").append(val[i]).append("'");
}
System.out.println(csvStr);

And use this csvStr in the query instead:

ResultSet rs = st.executeQuery("Select * from table where keyword IN ("+csvStr.toString()+")");
Improve this answer

Comments

0

You could use PreparedStatement to avoid all escaping of the SQL and security issues with that.

To do that, you build a string with question marks as a placeholder, and then add the parameters to the PreparedStatement instead of the string;

String statement = "SELECT * FROM table WHERE keyword " + getIn(list.size());
PreparedStatement preparedStatement = con.prepareStatement(statement);
for(int i=0; i<list.size(); i++)
    preparedStatement.setString(i+1, list.get(i));
ResultSet result = preparedStatement.executeQuery();

...where getIn is a function returning the IN part with question marks that is suitable for a PreparedStatement;

static String getIn(int numParams) {
    StringBuilder builder = new StringBuilder("IN (?");
    for(int i=1; i<numParams; i++)
        builder.append(",?");
    builder.append(")");
    return builder.toString();
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.