Back

Explore Courses Blog Tutorials Interview Questions
0 votes
1 view
in SQL by (20.3k points)

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise?

1 Answer

0 votes
by (40.4k points)

Try using the below code:

PreparedStatement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')");

stmt.execute();

Otherwise, use the below code:

PreparedStatement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)");

stmt.setString(1, user);

stmt.execute();

Note: If the "user" came from user input and the user input was like 

Robert'); DROP TABLE students; --

Related questions

0 votes
1 answer
0 votes
1 answer
asked Nov 23, 2019 in Java by Anvi (10.2k points)
0 votes
1 answer
asked Dec 19, 2020 in SQL by Appu (6.1k points)
Welcome to Intellipaat Community. Get your technical queries answered by top developers!

28.4k questions

29.7k answers

500 comments

94.2k users

Browse Categories

...