Suppose, I have a form and based on the fields filling the form by the user, I have Java code Using SQL statement and "field 1 = 'A' and field 2 = 'B' and field 3 = 'concurrentation of clients such as' C' etc. etc. If the fields are not filled in, then I can not add this part except My Java SQL string is thus in the database in that field I accept any value, I am really told that the inserted SQL string is a bad practice and I should use the space created instead of the actual execution. How can I do this without creating a statement made?
First of all, Aligned strings You have only saved yourself from a dirty SQL injection attack.
You want to use the same logic as before - After that, in the end, when you create your if < / Code> is the same set of statements, and only SQL where the area is present. You probably want a
StringBuilder
that you use SQL and a ArrayList & lt; String & gt; To store parameter values, unless you are ready to use them you may end up with whole blocks that look like this.
if (! Field1Text.equals ("")) {sql.append ("and field1 =?"); Params.add (field1Text); }
created location
, then you will repeat through the list of criteria, setString
for each.
No comments:
Post a Comment