The statement would look like this
select * from table where column name like 'value1' or 'value2' or 'value3'
but I do not know how many values I may need to add in as the user will be selecting them. Currently I have built the statement as a string, but I need it to be resisteant against sql injection attacks.
Paul Sturrock wrote:JDBC doesn't have a setArrayOfValues method (this is a driver/database restriction) so you'll have to do it yourself. You'll probably have to build your SQL dynamically (as you would a Statement) and keep track of the values passes to the query criteria then bind them at the end. So two loops should do it. To make things easier you might find that "in" clauses are easier to manage than multiple or conditions.
Would this not be inefficient? as a prepared statement is somehow stored, so that the database knows how to best access the data prior to the query being run