This week's book giveaway is in the Design forum.
We're giving away four copies of Building Microservices and have Sam Newman on-line!
See this thread for details.
The moose likes JDBC and Relational Databases and the fly likes can we write this method using prepared statement? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Building Microservices this week in the Design forum!
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "can we write this method using prepared statement?" Watch "can we write this method using prepared statement?" New topic
Author

can we write this method using prepared statement?

anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
i found that to avoid sql injection use prepared statement.But is it possible to use prepared statement for all times.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Yes, it is possible.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
then please tell me how?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Have a read through our JDBC FAQs, there is a wealth of information in there. Also Sun's JDBC tutorial explains how to use them.
Scott Selikoff
author
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3740
    
  10

Hi Anarkali,

Why don't you try rewriting your above code with PreparedStatements with the parameters separated out. Post that and we can take a look. As it stands now, your code is very prune to SQL injection. For example if I set username = " '; DELETE FROM student; SELECT * from student WHERE username=' ", you're going to have problems


[OCA 8 Book] [Blog]
 
I’ve looked at a lot of different solutions, and in my humble opinion Aspose is the way to go. Here’s the link: http://aspose.com
 
subject: can we write this method using prepared statement?
 
It's not a secret anymore!