Tell Me Glossary
 

4.3 Use Bind Arguments with JDBC Applications

Previous previous|next Next Page

You can also use bind arguments in JDBC applications to eliminate SQL injection exposure.

This JDBC PreparedStatement containing string concatenation:

 

String lname = request.getParameter("lname");
String fname = request.getParameter("fname");
PreparedStatement pstmt = conn.prepareStatement
   ("INSERT INTO employees (last_name, first_name)
     VALUES ('" + lname + "','" + fname + "')");
pstmt.execute(); pstmt.close();

can be rewritten to use bind arguments. The question marks are placeholders for the bind arguments, lname and fname:

 

String fname = request.getParameter("fname");
String lname = request.getParameter("lname");
PreparedStatement pstmt = conn.prepareStatement
   ("INSERT INTO employees (last_name, first_name)
     VALUES (?,?)");
pstmt.setString (1, lname);
pstmt.setString (2, fname);
pstmt.execute(); pstmt.close();

For more details on this topic, see:
The Java Tutorials (from Sun Microsystems),
Using Prepared Statements