wood burning stoves 2.0*
The moose likes JDBC and the fly likes Using a prepared statement Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "Using a prepared statement" Watch "Using a prepared statement" New topic
Author

Using a prepared statement

Jenn Person
Ranch Hand

Joined: Jan 16, 2005
Posts: 89
Hi,

I have a class with a method takes in a connection object and a string called criteria that contains search parameters. I used to have the method findInstructors() working using a simple select statement, but this leaves it vulnerable to SQL and Javascript injection. So I want to use a prepared statement, but I'm have a little trouble.

Here is my original working method:


Here is my attempt with the prepared statement:


I'm not getting any results with the prepared statement. How can I do this properly?

Thanks,
Jenn
Herman Schelti
Ranch Hand

Joined: Jul 17, 2006
Posts: 387
hi Jenn,

I had a simular problem a while ago.

can you try this:
template.append("SELECT * FROM Instructors WHERE active = 1 AND ((Instructors.lastName) Like ?) ORDER BY Instructors.lastName");

and:
statement.setString(1, '%' + criteria + '%');

another thing: make sure you always close resultsets, (prep.) statements and connections (usually in a finally block)

Herman
Jenn Person
Ranch Hand

Joined: Jan 16, 2005
Posts: 89
Ok great, I'll try this out after work and let you know of the results. Thanks so much!
 
wood burning stoves
 
subject: Using a prepared statement
 
Similar Threads
Read (access) FireFox cookies.sqlite file
problem in where clause while fetching records in jtable
I am not able to create DSN
SQL error
Unresolved Method?