aspose file tools*
The moose likes JDBC and the fly likes PreparedStatement Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "PreparedStatement" Watch "PreparedStatement" New topic
Author

PreparedStatement

Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327
Hi to all,
I have read once that PreparedStatement can be used to verify that the parameters it gets do not violate the SQL syntax (?) or even can prevent SQL injection (???).
I cannot find that article.

Do you know where on the web they explain how to do that?

Many thanks!
[ May 01, 2005: Message edited by: Joseph Sweet ]

We must know, we will know. -- David Hilbert
Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327
Does anyone know?


[ May 01, 2005: Message edited by: Joseph Sweet ]
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 30965
    
158

Joseph,
Devx has an article on this.

When you use a PreparedStatement, it handles escaping special characters for you. In particular, unescaped quotes violate the SQL syntax. Certain forms of them can allow you to return the full table instead of a subset or even execute a stored procedure. If you search this forum for SQL injection, you will see some examples.

Note that it is good to wait at least 24 hours before bumping a post. Especially on a weekend. Many people, myself included, only go online once a day. More details at PatienceIsAVirtue.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Joseph Sweet
Ranch Hand

Joined: Jan 29, 2005
Posts: 327
Thank you.

 
It is sorta covered in the JavaRanch Style Guide.
 
subject: PreparedStatement