1101: fix quoting in statement
This commit is contained in:
		| @ -1,23 +1,26 @@ | ||||
| == Immutable Queries | ||||
|  | ||||
| These are the best defense against SQL injection.  They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation. | ||||
| These are the best defense against SQL injection.  They either do not have data that could get interpreted, or they treat the data as a single entity that is bound to a column without interpretation. | ||||
|  | ||||
| === Static Queries | ||||
| ------------------------------------------------------- | ||||
| SELECT * FROM products; | ||||
| ------------------------------------------------------- | ||||
|  | ||||
| ------------------------------------------------------- | ||||
| SELECT * FROM users WHERE user = "'" + session.getAttribute("UserID") + "'"; | ||||
| ------------------------------------------------------- | ||||
| ---- | ||||
| String query = "SELECT * FROM products"; | ||||
| ---- | ||||
|  | ||||
| ---- | ||||
| String query = "SELECT * FROM users WHERE user = '" + session.getAttribute("UserID") + "'"; | ||||
| ---- | ||||
|  | ||||
| === Parameterized Queries | ||||
| ------------------------------------------------------- | ||||
|  | ||||
| ---- | ||||
| String query = "SELECT * FROM users WHERE last_name = ?"; | ||||
| PreparedStatement statement = connection.prepareStatement(query); | ||||
| statement.setString(1, accountName); | ||||
| ResultSet results = statement.executeQuery(); | ||||
| ------------------------------------------------------- | ||||
| ---- | ||||
|  | ||||
| === Stored Procedures | ||||
|  | ||||
| Only if stored procedure does not generate dynamic SQL | ||||
|  | ||||
		Reference in New Issue
	
	Block a user