| Author |
Using a prepared statement
|
Jenn Person
Ranch Hand
Joined: Jan 16, 2005
Posts: 89
|
|
Hi,
I have a class with a method takes in a connection object and a string called criteria that contains search parameters. I used to have the method findInstructors() working using a simple select statement, but this leaves it vulnerable to SQL and Javascript injection. So I want to use a prepared statement, but I'm have a little trouble.
Here is my original working method:
Here is my attempt with the prepared statement:
I'm not getting any results with the prepared statement. How can I do this properly?
Thanks,
Jenn
|
 |
Herman Schelti
Ranch Hand
Joined: Jul 17, 2006
Posts: 387
|
|
hi Jenn,
I had a simular problem a while ago.
can you try this:
template.append("SELECT * FROM Instructors WHERE active = 1 AND ((Instructors.lastName) Like ?) ORDER BY Instructors.lastName");
and:
statement.setString(1, '%' + criteria + '%');
another thing: make sure you always close resultsets, (prep.) statements and connections (usually in a finally block)
Herman
|
|
Jenn Person
Ranch Hand
Joined: Jan 16, 2005
Posts: 89
|
|
|
Ok great, I'll try this out after work and let you know of the results. Thanks so much!
|
|
 |
|
|
subject: Using a prepared statement
|
|
|
0
