How do I use SQL prepared statements in a Servlet?

Question

If I need to use a prepared statement, what do I do?

Statement statement = conn.createStatement();
String sql ="SELECT * FROM polls WHERE pollname LIKE '%"+search+"%' or side1 LIKE '%"+search+"%' or side2 LIKE '%"+search+"%' ORDER BY totalvotes DESC";

ResultSet resultSet = statement.executeQuery(sql);
if(resultSet.next() == false){

Answer 1

With PreparedStatement, use ? to parameter placeholder, then use setXXX to set the parameter value across the parameter index(parameter Index started from 1, not 0).

Below the code:

PreparedStatement preparedStatement = conn.prepareStatement(
            "SELECT * FROM polls WHERE pollname LIKE ? or side1 LIKE ? or side2 LIKE ? ORDER BY totalvotes DESC");

String searchWizard = "%" + search + "%";
preparedStatement.setString(1, searchWizard);
preparedStatement.setString(2, searchWizard);
preparedStatement.setString(3, searchWizard);
ResultSet resultSet = preparedStatement.executeQuery();