Monday, June 10, 2002 03:56 AM
You're already using PreparedStatement, which is a step in the right direction.
However, you should use the following convention for including strings with "'" characters:
String sql = "SELECT user FROM table1 WHERE user = ?";
pstmt = con.prepareStatement(sql);
rs = pstmt.executeQuery();
setString(int, String) is a safe way to include any kind of string into an SQL statement.