how to get sting value in query

System.out.print("Enter MName= "); mname=br.readLine(); su ="UPDATE contact SET mname= "+ mname +" WHERE id="+cid; System.out.println(su); n=s.executeUpdate(su);

1st Jun 2023, 5:47 PM
Sahil Kshirsagar
Sahil Kshirsagar - avatar
3 Answers
+ 4
You should never use string concatenation to write SQL. This is how you can fall victim to code injection attacks. You should use PreparedStatement instead, as suggested in the stackoverflow article linked by Sakshi. https://www.baeldung.com/java-statement-preparedstatement
1st Jun 2023, 8:26 PM
Tibor Santa
Tibor Santa - avatar
+ 3
Sahil, your question is incomplete.. I'll suggest you link the actual code to the description so I can review it. To debug this, I need to know the data type of su, br, mname and every other variables provided
1st Jun 2023, 5:59 PM
Mirielle - avatar