-1

I know, for PreparedStatement I need to have the SQL expression fed into the PreparedStatement like this 

 String updateStatement =
        "update " + dbName + ".COFFEES " +
        "set TOTAL = TOTAL + ? " +
        "where COF_NAME = ?";

However, can I feed the update statement with the full where clause without "?"

For example

 String updateStatement =
        "update " + dbName + ".COFFEES " +
        "set TOTAL = TOTAL + ? " +
        "where COF_NAME = 'aaa";

It is just cause I get the where as a parameter in my function, and I don't think it would be efficient to parse the string to break it up.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Snake
  • 14,228
  • 27
  • 117
  • 250
  • 1
    You only need the question mark for dynamic parameters. You are able to hardcode the where clause. – OneCricketeer Jun 04 '16 at 17:33
  • So I can hardcode the full where clause ,no issues? – Snake Jun 04 '16 at 17:44
  • If you don't need parameters, you don't need to use them. Did you even try before asking this question? – Mark Rotteveel Jun 04 '16 at 17:52
  • @MarkRotteveel I dont ask questions if I didnt face a trouble. I am new to preparedstatement. I use it successfully in insert. But with update, I am using it and I am getting exception. So I wanted to know if the source of my problem is the non "?" in where or something else. With Cricket comment, I was able to confirm that it is something else. Sqls exceptions are not very trivial to figure out whats wrong with them. I couldve posted the exception and ask people to solve it for me but I prefer to find out myself. Anyways thanks for the comment – Snake Jun 04 '16 at 17:57
  • Note that if you're getting a part of the `WHERE` clause as a parameter from a potentially unsafe source (user input / configuration), embedding that into the prepared statement will make it vulnerable to SQL injection. – Mick Mnemonic Jun 04 '16 at 18:11
  • Next time you're faced with such a problem, post the actual code and the exception instead of chasing hypotheticals. – Mark Rotteveel Jun 04 '16 at 18:21

1 Answers1

0

The purpose of using prepared statement is to have dynamic variables, but as you're asking if you can hard code the whole where clause, yes you can hard code it.

hulkinBrain
  • 746
  • 8
  • 28