James Gregory wrote:From the link already given, one example is:
PreparedStatement updateSales = con.prepareStatement(
"UPDATE COFFEES SET SALES = ? WHERE COF_NAME LIKE ? ");
updateSales.setInt(1, 75);
updateSales.setString(2, "Colombian");
updateSales.executeUpdate():
Your solution using string concatenation may be vulnerable to SQL injection, depending on where it gets used.
Duly noted Paul and James. I'm just playing around at home, but definitely I want to learn about secure practices. I'll take a closer look at that tutorial page. It seems to make sense but right now it's not clear, but I'm sure it will become so with more effort.
I had planned on using my concatenated insertStr as follows...
Connection con = DriverManager.getConnection(url+dbName,userName,password);
Statement stmt = con.createStatement();
stmt.executeUpdate( insertStr );
anyways, this all works well enough, but if their are security concerns I guess I'll have to come up with something better, especially if this all makes the transition off of my home PC.