Get startedGet started for free

Prepared Statements

After discovering the SQL injection vulnerability, CityBook Libraries needs you to secure the book search feature. You'll switch from simple Statement objects to PreparedStatement to prevent injection attacks.

The HikariSetup class is already configured.

This exercise is part of the course

Querying a PostgreSQL Database in Java

View Course

Exercise instructions

  • Use a placeholder for the title parameter.
  • Create a PreparedStatement from the connection.
  • Set the title parameter for the prepared statement.

Hands-on interactive exercise

Have a go at this exercise by completing this sample code.

public class Main {
    public static void main(String[] args) throws SQLException {
        HikariDataSource ds = HikariSetup.createDataSource();
        // Set the parameter in the query
        String query = "SELECT * FROM books WHERE title = ____";
        // Create the prepared statement
        try (Connection conn = ds.getConnection();
            PreparedStatement pstmt = ____.____(query)) {
            // Set the title parameter
            pstmt.____(____, "Clean Code");
            try (ResultSet rs = pstmt.executeQuery()) {
                while (rs.next()) {
                    System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
                }
            }
        }
    }
}
Edit and Run Code