• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Devaka Cooray
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Junilu Lacar
  • Paul Clapham
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • salvin francis
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

Using a prepared statement  RSS feed

 
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a class with a method takes in a connection object and a string called criteria that contains search parameters. I used to have the method findInstructors() working using a simple select statement, but this leaves it vulnerable to SQL and Javascript injection. So I want to use a prepared statement, but I'm have a little trouble.

Here is my original working method:


Here is my attempt with the prepared statement:


I'm not getting any results with the prepared statement. How can I do this properly?

Thanks,
Jenn
 
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Jenn,

I had a simular problem a while ago.

can you try this:
template.append("SELECT * FROM Instructors WHERE active = 1 AND ((Instructors.lastName) Like ?) ORDER BY Instructors.lastName");

and:
statement.setString(1, '%' + criteria + '%');

another thing: make sure you always close resultsets, (prep.) statements and connections (usually in a finally block)

Herman
 
Jenn Person
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok great, I'll try this out after work and let you know of the results. Thanks so much!
 
All of the world's problems can be solved in a garden - Geoff Lawton. Tiny ad:
RavenDB is an Open Source NoSQL Database that’s fully transactional (ACID) across your database
https://coderanch.com/t/704633/RavenDB-Open-Source-NoSQL-Database
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!