Passing parameters to a JDBC PreparedStatement

Question

I\'m trying to make my validation class for my program. I already establish the connection to the MySQL database and I already inserted rows into the table. The table consis

Answer 1

You can use '?' to set custom parameters in string using PreparedStatments.

statement =con.prepareStatement("SELECT * from employee WHERE  userID = ?");
statement.setString(1, userID);
ResultSet rs = statement.executeQuery();

If you directly pass userID in query as you are doing then it may get attacked by SQL INJECTION Attack.