Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Carlos Sanchez
8,900 PointsWouldn't the JDBC class implementation taught in the Hibernate basics, be extremely susceptible to sql injection?
The video shows a sql query being constructed using a string, with %s placeholders and then formatted using String.format(). However I have read from other sources that it is recommended to use the PreparedStatement instead of just statement and also to use '?' in place of the values to be populated. Is this the right way of doing this in a production environment?
1 Answer
Alexander Nikiforov
Java Web Development Techdegree Graduate 22,175 PointsTo which video exactly you ask a question ???
If for 'Hibernate Basics' then I can tell you in the first part of the course he is showing that as example of usage without a Hibernate.
You can do with prepared statement if you like.
The point of the course is in the end, to see how Hibernate works, and there are other ways to prevent SQL injection.
And that is what I suggest as well, do things with Hibernate, not with ugly direct interaction.
if I understood your question correctly of course.
Here is my favorite article about SQL injection