The moose likes JDBC and Relational Databases and the fly likes Using a prepared statement Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "Using a prepared statement" Watch "Using a prepared statement" New topic

Using a prepared statement

Jenn Person
Ranch Hand

Joined: Jan 16, 2005
Posts: 89

I have a class with a method takes in a connection object and a string called criteria that contains search parameters. I used to have the method findInstructors() working using a simple select statement, but this leaves it vulnerable to SQL and Javascript injection. So I want to use a prepared statement, but I'm have a little trouble.

Here is my original working method:

Here is my attempt with the prepared statement:

I'm not getting any results with the prepared statement. How can I do this properly?

Herman Schelti
Ranch Hand

Joined: Jul 17, 2006
Posts: 387
hi Jenn,

I had a simular problem a while ago.

can you try this:
template.append("SELECT * FROM Instructors WHERE active = 1 AND ((Instructors.lastName) Like ?) ORDER BY Instructors.lastName");

statement.setString(1, '%' + criteria + '%');

another thing: make sure you always close resultsets, (prep.) statements and connections (usually in a finally block)

Jenn Person
Ranch Hand

Joined: Jan 16, 2005
Posts: 89
Ok great, I'll try this out after work and let you know of the results. Thanks so much!
I agree. Here's the link:
subject: Using a prepared statement
It's not a secret anymore!