CST363 - Week 20

What are the steps to coding a Java program that will perform a SELECT statement that returns multiple rows?

• Make a connection to the database

• Create a Prepared Statement which includes the SELECT statement

• Set the parameters

• Get a Result Set that contains rows and columns

• Close the connection

What is a parameterized SQL statement?  

A parameterized SQL statement is creating a statement which you use something such as a "?" in the place of certain parameters which are then supplied at runtime and inserted into the statement to be executed.

What is an "injection attack" and how do parameterized statements help to prevent such security attacks?

An "injection attack" is when an attacker is able accesses data by manipulating an application's queries to the database. Attackers can view and even change or remove data. This is a great security concern if attackers retrieve sensitive data such as passwords or credit card information.

By using parametrized statements, the queries do not contain direct user input, thereby not allowing attackers manipulate them as they can without these statements. In this way, the user input is not treated as part of the SQL query, but as a literal. This is a safer way to handle and protect sensitive data.