Ulf Dittmer wrote:Your code is wide open to SQL injection attacks. You need to sanitize form parameters, and should use PreparedStatement instead of Statement.
If I may intrude here Ulf, what exactly do you mean by SQL Injection attacks? Do you refer to a scenario where the result set and the actual DB values are out of sync?
@ Sachin :
This is a bad practice. Be as specific as you can about the exception that your code might throw, in this case an SQLException. Otherwise, when you are dealing with an entire application which has hundreds of source files, isolation of the issue becomes tedious.