MySQL :: Re: [update request]problem with parameter value

Contact MySQL |
Login | Register

The world's most popular open source database

Documentation Downloads MySQL.com

Developer Zone

Section Menu:

New Topic

Re: [update request]problem with parameter value

Posted by: Todd Farmer
Date: July 09, 2012 10:06AM

Hi Serge,

You need to escape this.name. Passing input directly into literal SQL strings is a pretty bad idea - you'll want to Google "SQL Injection" and see what can be done when input isn't properly validated and prepared.

JDBC provides a nice mechanism to help avoid this, via PreparedStatement. Try this instead:

try{
PreparedStatement pstm= con.prepareStatement("INSERT INTO tblclients(firstname) VALUES ( ? )");
pstm.setString(1, this.name);
psmt.executeUpdate();
...

--
Todd Farmer
MySQL @ Oracle
http://www.oracle.com/mysql/

Navigate: Previous Message• Next Message

Options: Reply• Quote

Subject

Written By

Posted

[update request]problem with parameter value

serge nzudie

July 08, 2012 05:29AM

Re: [update request]problem with parameter value

Todd Farmer

July 09, 2012 10:06AM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.