Stephan van Hulst wrote:Shouldn't it throw an exception when you try to run it, rather than when you instantiate it?
IIUC, preparation of a SQL statement precompiles the statement, and is a DB call. That is, preparation is a database function, not a java function. This can be tested by checking the SQL cache (usually in a DB table, which a user with proper rights can read).
SQL injection is only a problem when variables are used. Instead, use placeholders. Placeholders are used in the prepare and the values are passed at execution time. If a placeholder is used without preparation, the statement will fail because it is not valid.
When the statement is valid, does it prepare and execute properly?