File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JDBC and Relational Databases and the fly likes can we write this method using prepared statement? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of RabbitMQ in Depth this week in the Open Source forum!
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "can we write this method using prepared statement?" Watch "can we write this method using prepared statement?" New topic
Author

can we write this method using prepared statement?

anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
i found that to avoid sql injection use prepared statement.But is it possible to use prepared statement for all times.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Yes, it is possible.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
then please tell me how?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Have a read through our JDBC FAQs, there is a wealth of information in there. Also Sun's JDBC tutorial explains how to use them.
Scott Selikoff
author
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3740
    
  10

Hi Anarkali,

Why don't you try rewriting your above code with PreparedStatements with the parameters separated out. Post that and we can take a look. As it stands now, your code is very prune to SQL injection. For example if I set username = " '; DELETE FROM student; SELECT * from student WHERE username=' ", you're going to have problems


[OCA 8 Book] [Blog]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: can we write this method using prepared statement?