This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Yes. You should use the PreparedStatement properly, instead of doing that string concatenation to generate your SQL. The string concatenation has two defects:
1. If there's a quote in any of the text strings, then the SQL will fail because it wasn't escaped. Using a PreparedStatement properly makes that a non-issue because the JDBC driver deals with it.
2. It may possible for malicious users to send text strings which cause your query to do unexpected things. Like deleting the whole table, for example. Google for "SQL injection attack". Again the JDBC driver deals with this by escaping the strings correctly.
Joined: Apr 11, 2008
Thanks. I fixed the SQL/prepared statements. I'm in too much of a rush with this one and I'm overlooking all sorts of important things. :-( Thanks for pointing it out. I really do prefer to do things the right way ;-)