== Immutable Queries

These are the best defense against SQL injection.  They either do not have data that could get interpreted or they treat the data as a single entity that is bound to a column without interpretation.

=== Static Queries
-------------------------------------------------------
select * from products;
-------------------------------------------------------

-------------------------------------------------------
select * from users where user = "'" + session.getAttribute("UserID") + "'"; 
-------------------------------------------------------

=== Parameterized Queries
-------------------------------------------------------
String query = "SELECT * FROM users WHERE last_name = ?";
PreparedStatement statement = connection.prepareStatement(query);
statement.setString(1, accountName);
ResultSet results = statement.executeQuery();
-------------------------------------------------------

=== Stored Procedures
Only if stored procedure does not generate dynamic SQL