I know using prepared statements helps to avoid sql-injection. My problem is, that a prepared statement is usually very static. I have a problem, where I build the where-clause of the sql-query at runtime, depending on user-input. Depending on which input-fields are filled I have to add the correspending statements to the where-clause. How can this be realized with prepared statements?
I know using prepared statements helps to avoid sql-injection. My problem is, that a
Share
I guess you could dynamically build your prepared statements based on what columns they want to query, i.e. use a StringBuffer and a loop to build them based on the required columns.
For efficiency you should keep these in some kind of in-memory lookup. So you’d end up with a Map or other collection of prepared statements where the retrieval key is the columns they’re designed to query against.