Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Java:
PreparedStatement stmt = myConnection.prepareStatement("CALL myStoredRoutine(?, ?, ?)");
stmt.setString(1, a);
stmt.setString(2, b);
stmt.setString(3, c);
stmt.executeQuery();
If my stored routine is in MySQL is it possible for the unfiltered Strings to inject something into my code?
No, as
PreparedStatementwas build to protect againstSQL Injection.I see you’re calling a stored procedure so better use
CallableStatement.Instances of PreparedStatement contain an SQL statement that has already been compiled. This is what makes a statement “prepared”
Because PreparedStatement objects are precompiled, their execution can be faster than that of Statement objects.
The prepared statement is used to execute sql queries
A CallableStatement object provides a way to call stored procedures in a standard way for all RDBMSs. A stored procedure is stored in a database; the call to the stored procedure is what a CallableStatement object contains.