This week's book giveaway is in the OCAJP forum.
We're giving away four copies of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) and have Khalid A Mughal & Rolf W Rasmussen on-line!
See this thread for details.
Win a copy of Programmer's Guide to Java SE 8 Oracle Certified Associate (OCA) this week in the OCAJP forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to escape this JDBC string when right side is a little complicated?

 
Dave Alvarado
Ranch Hand
Posts: 436
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I'm using Java 1.6 with Oracle 10.2. Right now, I build my SQL statement like this ...



Obviously, this is less than optimal because it allows for SQL injection. Is there a way I can rewrite the above to take advantage of PreparedStatements? Thanks, - Dave
 
Mykhailo Kozik
Greenhorn
Posts: 16
Eclipse IDE Java Ubuntu
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Use PreparedStatement.
It automatically prevents injections and also has higher performance.
 
Rob Spoor
Sheriff
Pie
Posts: 20605
60
Chrome Eclipse IDE Java Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Moving to JDBC.
 
Dave Alvarado
Ranch Hand
Posts: 436
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Mykhalio,

PreparedStatement is not going to work ...



The expression after the "=" is more complicated. That's why I'm asking. - Dave
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Not sure I follow. Why is a PreparedStatement not going to work in this case? (Sorry if I'm just missing something obvious)
 
Rui Silva
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
try


or I'm not understating the problem to...

regards
 
Mykhailo Kozik
Greenhorn
Posts: 16
Eclipse IDE Java Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dave Alvarado wrote:Mykhalio,
PreparedStatement is not going to work ...


Really, i don't see the problem.
Use complicated part as part of PreparedStatement.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic