0

I have written a SQL query:

select sum(amount) as totalAmount 
from employee_account 
where id = 29967 
and repayment_status in ("MARKEDPAID", "PAID", "PENDING", "OVERDUE");

This query is working fine in MySQL console. I have to execute this query in Java using

String query = ""
int id = 123
Connection connection = // connection code 
Statement statement = connection.createStatement()
ResultSet resultSet = statement.executeQuery(query)

I write the

query = "select sum(amount) as totalAmount from employee_account where id = ${id} and repayment_status in ()"

How do I pass "MARKEDPAID", "PAID", "PENDING", "OVERDUE" in above String query?

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
chaitanya gupta
  • 302
  • 5
  • 25

1 Answers1

0
String status = "\'OVERDUE\',\'PAID\',\'PENDING\',\'MARKEDPAID\'"
String query = "select sum(amount) as totalAmount from employee_account where id = ${id} and repayment_status in (${status})"
chaitanya gupta
  • 302
  • 5
  • 25
  • Your code is vulnerable to SQL injection. Do not use string interpolation for adding values into a query string, use JDBC parameters (the use of `${status}` is safe in **this** case, but `${id}` is not!). – Mark Rotteveel Dec 24 '21 at 15:42