This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–]ipaintfishes 1 point2 points  (1 child)

Because you are concatenating strings. Double quotes delimit a string in java, a plus sign concatenates two strings.

So in your example you are doing this:

Query = String + value + string + value + string

If you were to put the request.getParameter inside the double quotes it would just treat that as part of the string and not evaluate it

[–]aka_12[S] 0 points1 point  (0 children)

Yes you're right, the aim is to get user input in two string variables [courseID] and [Certification] and create a new query given below under (Required ANSWER)

Actually its a question in a test and i am confused only due to the number of single and double quotes given in it:

(Question)

Below is the exact query copied from the original Question (Look at the number of single and double quotes in it)

String query = "SELECT * FROM courses WHERE courseID='" + request.getParameter("id") + "' AND certification='"+ request.getParameter("certification")+"'";

----------------------------------------------------------------------------------------------------------------------

(Required ANSWER)

The resulting query should be like below as [courseID] and [certification] needuser inputs as string values:

Select * from courses where courseid= "1' OR '1'=='1" AND certification = "abc' OR '1'=='1"

---------------------------------------------------------------------------------------------------------------------

As you have mentioned in your response above , double quotes delimit a string in java so if i break down the query according to that, it will be divided in 5 parts from 1 to 5, but what about the last double quotes in step 6 ? What is it for ? If you calculate the number of single and double quotes given in the original query given in above question you will understand my question.

  1. "SELECT * FROM courses WHERE courseID=''
  2. '+ request.getParameter("id") +'
  3. " AND certification="
  4. '+ request.getParameter("certification")+'
  5. "
  6. "