0

I have to create a prepared statement to fetch data from MqSQL db.

I could not find a way to add order by in preparedstatement way.. I have append order by info in sql string before creating preparedstatement.

However client quality tool reported this as an sql injection.Since we are added order by info(ie.asc/desc) from a variable.

Is their any alternative.Could you please help me ? Thanks in advance.

Sanjay Rabari
  • 2,091
  • 1
  • 17
  • 32
Prasobh.Kollattu
  • 1,665
  • 1
  • 22
  • 32
  • 1
    You can have a look at [this](http://stackoverflow.com/questions/2857164/cannot-use-a-like-query-in-a-jdbc-prepared-statement/2857417#2857417), perhaps of some help. – Jacob Jun 16 '14 at 11:22

1 Answers1

2

Pass asc/desc as a parameter to the method and use it in the query string.

Ninad Pingale
  • 6,801
  • 5
  • 32
  • 55