Click here to Skip to main content
15,885,365 members
Search within:


Variable disappears when I filter the database table
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Java
I am making a library System where the user can search and filter the data in the database. My code is now filtering the table however when I start to type the variable txtNo disappears. I cannot identify what is the problem.

What I have tried:

Java
private void txtSearchKeyReleased(java.awt.event.KeyEvent evt) {                                      
        try { 
            String sql = "SELECT txtNo, txtTitle, txtAuthor, txtGenre, txtLexile, txtPoints FROM LibrarySystemDatabase WHERE txtNo like '%"+txtSearch.getText()+"%' "
                    + "OR txtTitle like '%"+txtSearch.getText()+"%'"
                    + "OR txtAuthor like '%"+txtSearch.getText()+"%'"
                    + "OR txtGenre like '%"+txtSearch.getText()+"%'"
                    + "OR txtLexile like '%"+txtSearch.getText()+"%'"
                    + "OR txtPoints like '%"+txtSearch.getText()+"%'";
            pst = conn.prepareStatement (sql);
            rs = pst.executeQuery();
            tblTable.setModel(DbUtils.resultSetToTableModel(rs));
            tblTable.removeColumn(tblTable.getColumnModel().getColumn(0));
        } catch(Exception e) {
             JOptionPane.showMessageDialog(null, e);
        }
        
    }
Posted
Updated 22-Feb-20 20:14pm
v2
Add a Solution
Comments
Jon McKee 23-Feb-20 3:02am    
Maybe I'm being dense but doesn't tblTable.removeColumn(tblTable.getColumnModel().getColumn(0)); delete txtNo? What exactly do you mean by "when I start to type the variable txtNo disappears"?
Richard MacCutchan 23-Feb-20 4:44am    
Why are you using exactly the same text field for every database column in your SELECT statement? The chances of it finding any valid records are not high. Also, you have not explained what you mean by "when I start to type the variable txtNo disappears". Disappears from where?

2 solutions

You have a bigger problem than that: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SQL
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
SQL
DROP TABLE MyTable;
A perfectly valid "delete the table" command
SQL
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
 
Share this answer
 
Posted
Quote:
when I start to type the variable txtNo disappears.

technically, txtNo is not a variable (Java), from query, it is a database field, so this means nothing to us.
Java
String sql = "SELECT txtNo, txtTitle, txtAuthor, txtGenre, txtLexile, txtPoints FROM LibrarySystemDatabase WHERE txtNo like '%"+txtSearch.getText()+"%' "
+ "OR txtTitle like '%"+txtSearch.getText()+"%'"
+ "OR txtAuthor like '%"+txtSearch.getText()+"%'"
+ "OR txtGenre like '%"+txtSearch.getText()+"%'"
+ "OR txtLexile like '%"+txtSearch.getText()+"%'"
+ "OR txtPoints like '%"+txtSearch.getText()+"%'";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
ADF popup disappear on filtering data
Filtering Dropdowns and then filtering a table in Asp.Net
Error in creating a table when performing database migration in ASP
Filtering Data Source table
Crystal report table filter
How to Filter a database table by using stored procedure?
ModalpopupExtender disappears while filtering data in gridview.
How do I prevent roads from disappearing when the player moves through them in a grid-based game? - C programming
How do we insert a form data into mysql database table using variable value ?
How can I retain all previously applied filters back to p table after performing delete operation on prime ng data table.

Advertise
Privacy
Cookies
Terms of Use
Last Updated 23 Feb 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900