ComenzarEmpieza gratis

Prepared Statements

After discovering the SQL injection vulnerability, CityBook Libraries needs you to secure the book search feature. You'll switch from simple Statement objects to PreparedStatement to prevent injection attacks.

The HikariSetup class is already configured.

Este ejercicio forma parte del curso

Querying a PostgreSQL Database in Java

Ver curso

Instrucciones del ejercicio

  • Use a placeholder for the title parameter.
  • Create a PreparedStatement from the connection.
  • Set the title parameter for the prepared statement.

Ejercicio interactivo práctico

Prueba este ejercicio y completa el código de muestra.

public class Main {
    public static void main(String[] args) throws SQLException {
        HikariDataSource ds = HikariSetup.createDataSource();
        // Set the parameter in the query
        String query = "SELECT * FROM books WHERE title = ____";
        // Create the prepared statement
        try (Connection conn = ds.getConnection();
            PreparedStatement pstmt = ____.____(query)) {
            // Set the title parameter
            pstmt.____(____, "Clean Code");
            try (ResultSet rs = pstmt.executeQuery()) {
                while (rs.next()) {
                    System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
                }
            }
        }
    }
}
Editar y ejecutar código