PreparedStatement - parameters from user combined with constants

Question

liran 0 Newbie Poster

13 Years Ago

Hye
I have a question:
Suppose I use JDBC, JDBCTemplate in order to execute a sql query.
The query is something like:
query = "SELECT ... FROM ... WHERE user = ? AND password = ? AND x='valuex' AND y='valuey' ..."

Where user,password - I got from the web user - so I want it to be in a PreparedStatement.
But x,y,... (Suppose there are many variables like this) are values which I set their values myself at the code (e.g. constants), so there is no use for PreparedStatement on them.

Is there a way I can combine the two ways, something like:
PreparedStatement preparedStatement = ...
preparedStatement.setString(1,userValue)
preparedStatement.setString(2,passwordValue)
execute(query,preparedStatement,new Object[]('valuex','valuey'...)) ?

If there is, please write me an example of this part of the code, how can I do this exactly.

Thanks

java jdbc prepared-statement sql sql-injection

2 Contributors
6 Replies
297 Views
6 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by liran

All 6 Replies

~s.o.s~ 2,560 Failure as a human

13 Years Ago

If you need to pass them for every call to prepared statement, then they are not constant and should be part of prepare statement. If they really are constants, you can embed those values in the query itself. Or you can combine both the approaches:

var pStmt = "select * from tbl where u=? and p=? and x=? and y=?";
pStmt.setString(1, user); pStmt.setString(2, pwd);
pStmt.setString(3, CONST1); pStmt.setString(4, CONST2);

~s.o.s~ 2,560 Failure as a human

13 Years Ago

It does not matter whether x and y are from the user or not. You can set it in the prepared statement as you do it for username and password. As long as 'x' and 'y' are variables which are available in the scope of the method, you can use them as you would use your username and password.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

liran 0 Newbie Poster · Answer 1 · 2011-03-06T22:22:30+00:00

OK, i was not clear enough.
x,y,... are variables, but not from the user.
It's true that I can do:
query = "SELECT ... FROM ... WHERE user = ? AND password = ? AND x='"+valuex+'" AND y='"+valuey+"' ..."
It will give me what I need, but it's not so readable.

Therefore, I want something like:
query = "SELECT ... FROM ... WHERE user = ? AND password = ? AND x=? AND y=? ..."
PreparedStatement preparedStatement = ...
preparedStatement.setString(1,userValue)
preparedStatement.setString(2,passwordValue)
execute(query,preparedStatement,new Object[]('valuex','valuey'...)) ?

liran 0 Newbie Poster · Answer 2 · 2011-03-06T22:49:44+00:00

So it's pretty much like new Object[]{...} ? There is no significant performance different if I put many variables in the PreparedStatement ?

~s.o.s~ 2,560 Failure as a human Team Colleague Featured Poster · Answer 3 · 2011-03-06T22:53:14+00:00

Not that I know of; on the contrary, PreparedStatements are capable of being compiled down to an efficient representation since the structure of the query remains the same with the variables being parametrized. This is much better than creating a SQL query for each request by concatenating the values of x and y to the original SELECT query which can't be compiled down to an optimized form.

liran 0 Newbie Poster · Answer 4 · 2011-03-06T22:56:36+00:00

OK, thanks for the quick and detailed answer.

If anyone else disagrees, please write.

PreparedStatement - parameters from user combined with constants

Recommended Answers Collapse Answers

All 6 Replies

Recommended Answers