Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

can we write this method using prepared statement?  RSS feed

 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i found that to avoid sql injection use prepared statement.But is it possible to use prepared statement for all times.

 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes, it is possible.
 
anarkali perera
Ranch Hand
Posts: 237
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
then please tell me how?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Have a read through our JDBC FAQs, there is a wealth of information in there. Also Sun's JDBC tutorial explains how to use them.
 
Scott Selikoff
author
Bartender
Posts: 4087
21
Eclipse IDE Flex Google Web Toolkit
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Anarkali,

Why don't you try rewriting your above code with PreparedStatements with the parameters separated out. Post that and we can take a look. As it stands now, your code is very prune to SQL injection. For example if I set username = " '; DELETE FROM student; SELECT * from student WHERE username=' ", you're going to have problems
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!