0

how to get sting value in query

System.out.print("Enter MName= "); mname=br.readLine(); su ="UPDATE contact SET mname= "+ mname +" WHERE id="+cid; System.out.println(su); n=s.executeUpdate(su);

1st Jun 2023, 5:47 PM
Sahil Kshirsagar
Sahil Kshirsagar - avatar
2 Answers
1st Jun 2023, 6:02 PM
Sakshi [Offline 🙃]
Sakshi [Offline 🙃] - avatar
+ 4
You should never use string concatenation to write SQL. This is how you can fall victim to code injection attacks. You should use PreparedStatement instead, as suggested in the stackoverflow article linked by Sakshi. https://www.baeldung.com/java-statement-preparedstatement
1st Jun 2023, 8:26 PM
Tibor Santa
Tibor Santa - avatar