This week's book giveaway is in the OCMJEA forum. We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line! See this thread for details.
Hi to all, I have read once that PreparedStatement can be used to verify that the parameters it gets do not violate the SQL syntax (?) or even can prevent SQL injection (???). I cannot find that article.
Do you know where on the web they explain how to do that?
Many thanks! [ May 01, 2005: Message edited by: Joseph Sweet ]
When you use a PreparedStatement, it handles escaping special characters for you. In particular, unescaped quotes violate the SQL syntax. Certain forms of them can allow you to return the full table instead of a subset or even execute a stored procedure. If you search this forum for SQL injection, you will see some examples.
Note that it is good to wait at least 24 hours before bumping a post. Especially on a weekend. Many people, myself included, only go online once a day. More details at PatienceIsAVirtue.