Intellipaat Back

Explore Courses Blog Tutorials Interview Questions

How does a PreparedStatement avoid or prevent SQL injection?

0 votes
2 views
in SQL by (20.3k points)

I know that PreparedStatements avoid/prevent SQL Injection. How does it do that? Will the final form query that is constructed using PreparedStatements will be a string or otherwise?

1 Answer

0 votes
by (40.7k points)

Try using the below code:

PreparedStatement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')");

stmt.execute();

Otherwise, use the below code:

PreparedStatement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)");

stmt.setString(1, user);

stmt.execute();

Note: If the "user" came from user input and the user input was like 

Robert'); DROP TABLE students; --

Related questions

0 votes
1 answer
How can I get the SQL of a PreparedStatement?
asked Nov 23, 2019 in Java by Anvi (10.2k points)
0 votes
1 answer
Difference between javax.sql and java.sql?
asked Dec 19, 2020 in SQL by Appu (6.1k points)

31k questions

32.8k answers

501 comments

693 users

Browse Categories

© COPYRIGHT 2011-2024 INTELLIPAAT.COM. ALL RIGHTS RESERVED.

...