Win a copy of Java Mock Exams (software) this week in the Programmer Certification (OCPJP) forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

PreparedStatement

 
Joseph Sweet
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi to all,
I have read once that PreparedStatement can be used to verify that the parameters it gets do not violate the SQL syntax (?) or even can prevent SQL injection (???).
I cannot find that article.

Do you know where on the web they explain how to do that?

Many thanks!
[ May 01, 2005: Message edited by: Joseph Sweet ]
 
Joseph Sweet
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does anyone know?


[ May 01, 2005: Message edited by: Joseph Sweet ]
 
Jeanne Boyarsky
author & internet detective
Sheriff
Posts: 35976
422
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Joseph,
Devx has an article on this.

When you use a PreparedStatement, it handles escaping special characters for you. In particular, unescaped quotes violate the SQL syntax. Certain forms of them can allow you to return the full table instead of a subset or even execute a stored procedure. If you search this forum for SQL injection, you will see some examples.

Note that it is good to wait at least 24 hours before bumping a post. Especially on a weekend. Many people, myself included, only go online once a day. More details at PatienceIsAVirtue.
 
Joseph Sweet
Ranch Hand
Posts: 327
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you.

 
What are you doing? You are supposed to be reading this tiny ad!
the new thread boost feature brings a LOT of attention to your favorite threads
https://coderanch.com/t/674455/Thread-Boost-feature
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!