How to escape strings in java to avoid sql injection?
"UPDATE tableName SET fieldName='abc' " + stringValue + "WHERE id=1"
i want this stringValue to be escaped
ignore if any syntax error in update query .. 😀
The only way to prevent SQL injection is with parameterized SQL. Use parameters for all input, updates, and where clauses. Dynamic SQL is simply an open door for hackers, and that includes dynamic SQL in stored procedures.
Try using the PREPARED statements. They will be helpful.