Search Database

Ok what I am doing wrong here.

“SELECT * FROM People where Lastname = + ‘"SearchLastNameTextField.text’”

Trying to write a search feature but not searching

"SELECT * FROM People where Lastname ='" + SearchLastNameTextField.text + "'"

and maybe even better:

"SELECT * FROM People where Lastname LIKE '%" + SearchLastNameTextField.text + "%'"

Plus, you should always perform queries from user input, in form of PreparedStatements. For security reasons.

First, the pluses are in the wrong places:

"SELECT * FROM People where Lastname = '" + SearchLastNameTextField.text + "'"

Second, you should absolutely not be doing it that way. If someone enters Jones' ; DROP TABLE People ; SELECT 'Whoopsie into the search box, you are going to be very sorry as your SQL statement will now read:

SELECT * FROM People where Lastname = 'Jones' ; DROP TABLE People ; SELECT 'Whoopsie'

Use a PreparedSQLStatement instead.

I think it must be:
“SELECT * FROM People where Lastname = '” + SearchLastNameTextField.text + “’”

[edit]
Hahaha, that was quick!
3 answers within 10 seconds.
[/edit]