This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes JDBC and the fly likes can we write this method using prepared statement? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Databases » JDBC
Bookmark "can we write this method using prepared statement?" Watch "can we write this method using prepared statement?" New topic
Author

can we write this method using prepared statement?

anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
i found that to avoid sql injection use prepared statement.But is it possible to use prepared statement for all times.

Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Yes, it is possible.


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
anarkali perera
Ranch Hand

Joined: Sep 10, 2009
Posts: 237
then please tell me how?
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Have a read through our JDBC FAQs, there is a wealth of information in there. Also Sun's JDBC tutorial explains how to use them.
Scott Selikoff
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3697
    
    5

Hi Anarkali,

Why don't you try rewriting your above code with PreparedStatements with the parameters separated out. Post that and we can take a look. As it stands now, your code is very prune to SQL injection. For example if I set username = " '; DELETE FROM student; SELECT * from student WHERE username=' ", you're going to have problems


My Blog: Down Home Country Coding with Scott Selikoff
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: can we write this method using prepared statement?
 
Similar Threads
login problem
authenticating website users with mysql dbase
is there a any validation API in java
null pointer exception after response.sendRedirect() in jsp page.
java.sql.SQLException: Parameter index out of range (5 > number of parameters, which is 4).