by Robert Kochem <robert@[EMAIL PROTECTED]
>
Feb 16, 2008 at 03:49 PM
mak1084@[EMAIL PROTECTED]
schrieb:
> [code]
> String str1 = "select roll_no from student where sem_id = (select
> sem_id from subject where course_id ='bsc_it' and sub_id =
> '"+getsub1+"')";
Please don't forget that creating SQL queries with user specified input
incor****ates the possibility for an SQL injection attack. Therefore I
strongly recommend to change your code to use a PreparedStatement and set
the parameters via setInt() or SetString() - then your WebApp is secure
against such attacks.
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
Robert
