I know that using Statement and plain String is bad programming, and I need to use preparedStatement to avoid SQL Injections. But can I create string and then put the String into preparedStatement, or is this same as using Statement ?
for example:
String sql = "SELECT * FROM users WHERE user_ID = ?";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setLong(1, userId);