Home/ Questions/Q 6981929
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T18:13:18+00:00

I was doing an assignment and had an update class which accepted the SQL

  • 0

I was doing an assignment and had an update class which accepted the SQL and updated table. I am using Java. I did it this way

sqls = "INSERT INTO statistics(ID, TeamName, Wins, Draws, Losses, Points, DatePlayed) VALUES ( 0 ,'"+var1+"',"+var2+","+var3+","+var4+","+var5+",'"+ date +"')";
 Class.forName("com.mysql.jdbc.Driver").newInstance();
 con = DriverManager.getConnection("jdbc:mysql://localhost/players","root", "123");
 stmt = con.prepareStatement(sqls);
 int updaterows = stmt.executeUpdate(sqls);

my teacher did it this way

sqls = "INSERT INTO statistics(TeamName, Wins, Draws, Losses, Points, DatePlayed) VALUES ( ?,?,?,?,?,?)"
Class.forName("com.mysql.jdbc.Driver").newInstance();
con = DriverManager.getConnection("jdbc:mysql://localhost/players","root", "123");
stmt = con.prepareStatement(sqls);
stmt.setString(1, var1);
stmt.setInt(2, var2);
stmt.setInt(3, var3);
stmt.setInt(4, var4);
stmt.setInt(5, var5);
stmt.setTimestamp(6, var6);
int updaterows = stmt.executeUpdate();

which one is better and why please it really got me confused as both methods worked.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Definitely use the second way – the teacher’s way. Your way is very dangerous, because the code is prone to sql injection. Any person could enter DROP DATABASE as TeamName and your database will be gone.

    P.S Some fun – Bobby Tables.

    • 0