On Wed, Jul 25, 2012 at 7:13 PM, Rural Hunter <ruralhunter@gmail.com> wrote:
> Why not just use simple Statement instead of PreparedStatement and construct
> the SQL with concated string or StringBuilder? like this:
> int col1=xxx;
> String col2="xxxx";
> String sql="select * from table where col1="+col+" and col2='"+col2+"'";
Ah, finally get to apply the old there's-an-xkcd-for-that rule here:
http://xkcd.com/327/
Or, more informatively: http://en.wikipedia.org/wiki/SQL_injection
Note that it's not completely crazy (in fact, the JDBC driver used to
this this forever ago): if you know what you're doing, you *can*
safely escape strings and avoid injection. But it's not for the faint
of heart.
Also, if you control the parameters and can verify that escaping is
not (and will never be) necessary over the domain of their possible
values, that's another option.
But in general, it's safer to let drivers worry about this.
