How does Java's PreparedStatement work?

java jdbc prepared-statement
16,543

Solution 1

If you have variables use the '?'

int temp = 75;
PreparedStatement pstmt = con.prepareStatement(
    "UPDATE test SET num = ?, due = now() ");
pstmt.setInt(1, temp); 
pstmt.executeUpdate():

Produces an sql statment that looks like:

UPDATE test SET num = 75, due = now();

Solution 2

If you have a variable that comes from user input, it's essential that you use the ? rather than concatenating the strings. Users might enter a string maliciously, and if you drop the string straight into SQL it can run a command you didn't intend.

I realise this one is overused, but it says it perfectly:

Little Bobby Tables

Share:
16,543
Epitaph
Author by

Epitaph

Updated on June 27, 2022

Comments

  • Epitaph
    Epitaph almost 2 years

    I am planning to replace repeatedly executed Statement objects with PreparedStatement objects to improve performance. I am using arguments like the MySQL function now(), and string variables.

    Most of the PreparedStatement queries I have seen contained constant values (like 10, and strings like "New York") as arguments used for the ? in the queries. How would I go about using functions like now(), and variables as arguments? Is it necessary to use the ?s in the queries instead of actual values? I am quite confounded.

  • Adeel Ansari
    Adeel Ansari over 15 years
    I believe, you mean SQL Injections.
  • Mark Rotteveel
    Mark Rotteveel almost 4 years
    This is not correct for most database systems. Most database systems will prepare the query text, and then send the parameter values on execute. This will never produce a statement that literally contains the parameter value.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Preventing SQL Injection in JDBC without using Prepared Statements
What to use: executeUpdate() or execute()?
com.microsoft.sqlserver.jdbc.SQLServerException: The value is not set for the parameter number 1
Inserting custom date and current time into Oracle database using string variables
Rollback batch execution when using jdbc with autocommit=true
Do I get a memory leak by not closing my JDBC PreparedStatements?
How do I make a prepared statement?
Creation of a prepared statement inside a loop
How to use MySQL prepared statement caching?
Passing array parameter in prepare statement - getting "java.sql.SQLFeatureNotSupportedException"