Back

Explore Courses Blog Tutorials Interview Questions
0 votes
1 view
in SQL by (20.3k points)

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise?

1 Answer

0 votes
by (40.4k points)

Try using the below code:

PreparedStatement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')");

stmt.execute();

Otherwise, use the below code:

PreparedStatement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)");

stmt.setString(1, user);

stmt.execute();

Note: If the "user" came from user input and the user input was like 

Robert'); DROP TABLE students; --

Related questions

0 votes
1 answer
0 votes
1 answer
asked Nov 23, 2019 in Java by Anvi (10.2k points)
0 votes
1 answer
asked Dec 19, 2020 in SQL by Appu (6.1k points)

Browse Categories

...