Hi,
I have just started using JAva to connect to my database. I wish to know more about security though. Here http://msdn.microsoft.com/msdnmag/is.../securitytips/ it says how a user can maliciously add sql code to data they enter.
However, the real cause for concern is the string concatenation that builds the SQL statement. If a user enters an ID of 1001, then you get the following SQL statement, which is perfectly valid and well formed.
SELECT hasshipped FROM shipping WHERE id = '1001'

However, attackers are more creative than this. They would enter an ID of "'1001' DROP table shipping --", which would execute the following query:
SELECT hasshipped FROM
shipping WHERE id = '1001'
DROP table shipping -- ';
I tried to do this on my database but couldn't get anything bad to happen.

my code is
Code:
				if (flan.getSelectedItem().toString() == "null")
				{
					s = new String("INSERT INTO FILE VALUES ('" + f + "'," 
							+ "null"  + ");");
				}
				else				
				{
					s = new String("INSERT INTO FILE VALUES ('" + f + "','" 
							+ flan.getSelectedItem().toString()  + "');");
				}
and I tried several times to get bad things to happen but can't I am not sure why I can't which is not reassuring so can anyone give me some pointers please?

Thanks.