\begin{frame}[fragile]
  \frametitle{SQL Injection: How to Prevent It?}

  \begin{goal}{To Prevent SQL Injection}
    \begin{itemize}
      \item \alert{\emph{Never build SQL queries with user input using string concatenation!}}
    \pause
      \item Use the API to fill in the query parameters.
    \end{itemize}
  \end{goal}
  \pause\medskip
  
  \begin{code}{\textwidth}{Preventing SQL Injection}
    \begin{lstlisting}
String userName = // name that the user has entered
String userPassword = // password that the user has entered

PreparedStatement stat = conn.prepareStatement(
  "select balance from accounts " +
  "where  name = ? " + 
  "   and password = ? ");

// use the API to fill the name and password
stat.setString(1, userName);    
stat.setString(2, userPassword);
    
ResultSet rs = stat.executeQuery();
    \end{lstlisting}
  \end{code}
  
  
\end{frame}