Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Using a prepared statement

 
Jenn Person
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I have a class with a method takes in a connection object and a string called criteria that contains search parameters. I used to have the method findInstructors() working using a simple select statement, but this leaves it vulnerable to SQL and Javascript injection. So I want to use a prepared statement, but I'm have a little trouble.

Here is my original working method:


Here is my attempt with the prepared statement:


I'm not getting any results with the prepared statement. How can I do this properly?

Thanks,
Jenn
 
Herman Schelti
Ranch Hand
Posts: 387
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi Jenn,

I had a simular problem a while ago.

can you try this:
template.append("SELECT * FROM Instructors WHERE active = 1 AND ((Instructors.lastName) Like ?) ORDER BY Instructors.lastName");

and:
statement.setString(1, '%' + criteria + '%');

another thing: make sure you always close resultsets, (prep.) statements and connections (usually in a finally block)

Herman
 
Jenn Person
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok great, I'll try this out after work and let you know of the results. Thanks so much!
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic