ComeçarComece de graça

Prepared Statements

After discovering the SQL injection vulnerability, CityBook Libraries needs you to secure the book search feature. You'll switch from simple Statement objects to PreparedStatement to prevent injection attacks.

The HikariSetup class is already configured.

Este exercício faz parte do curso

Querying a PostgreSQL Database in Java

Ver curso

Instruções do exercício

  • Use a placeholder for the title parameter.
  • Create a PreparedStatement from the connection.
  • Set the title parameter for the prepared statement.

Exercício interativo prático

Experimente este exercício completando este código de exemplo.

public class Main {
    public static void main(String[] args) throws SQLException {
        HikariDataSource ds = HikariSetup.createDataSource();
        // Set the parameter in the query
        String query = "SELECT * FROM books WHERE title = ____";
        // Create the prepared statement
        try (Connection conn = ds.getConnection();
            PreparedStatement pstmt = ____.____(query)) {
            // Set the title parameter
            pstmt.____(____, "Clean Code");
            try (ResultSet rs = pstmt.executeQuery()) {
                while (rs.next()) {
                    System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
                }
            }
        }
    }
}
Editar e executar o código