How to give entry in the where clause when we use it in webpages?-Collection of common programming errors

2 years ago

admin

1 minute

In contrast to other responses, why not use a PreparedStatement?

Basically, you’ll have to code like this:

PreparedStatement st=conn.prepareStatement("select * from empdetails where empnum=?");
st.setString(1, jempId);
ResultSet rs=st.executeQuery();

The reason you should use PreparedStatements is because of SQL Injection issues. For example, using the code you posted in the question, a hacker can always type “1;delete * from empdetails” in the textbox from which you select jempid.

Thus the final query formed would be

select * from empdetails where empnum=1;delete * from empdetails

which would result in all data in empdetails getting deleted.

So always use PreparedStatements!!

Originally posted 2013-11-09 23:38:25.