DB db = new DB();\r
@SuppressWarnings("resource")\r
Connection conn = db.getConnection();\r
- try(Statement stmt = conn.createStatement()) {\r
- String sql = "select KEYNAME, VALUE from PARAMETERS where KEYNAME = '" + k + "'";\r
- try(ResultSet rs = stmt.executeQuery(sql)) {\r
+ try(PreparedStatement stmt = conn.prepareStatement("select KEYNAME, VALUE from PARAMETERS where KEYNAME = ?")) {\r
+ stmt.setString(1, k);\r
+ try(ResultSet rs = stmt.executeQuery()) {\r
if (rs.next()) {\r
v = new Parameters(rs);\r
}\r