\begin{frame}[fragile] \frametitle{SQL Injection: How to Prevent It?} \begin{goal}{To Prevent SQL Injection} \begin{itemize} \item \alert{\emph{Never build SQL queries with user input using string concatenation!}} \pause \item Use the API to fill in the query parameters. \end{itemize} \end{goal} \pause\medskip \begin{code}{\textwidth}{Preventing SQL Injection} \begin{lstlisting} String userName = // name that the user has entered String userPassword = // password that the user has entered PreparedStatement stat = conn.prepareStatement( "select balance from accounts " + "where name = ? " + " and password = ? "); // use the API to fill the name and password stat.setString(1, userName); stat.setString(2, userPassword); ResultSet rs = stat.executeQuery(); \end{lstlisting} \end{code} \end{frame}