string builder and string buffere and syntax

gudii9 used Ask the Experts™
String sql = "Insert Into Users (name, email, pass, address)";
sql += " values ('" + user.getName();
sql += "', '" + user.getEmail();
sql += "', '" + user.getPass();
sql += "', '" + user.getAddress();
sql += "')"[b][u];[/u][/b]

Open in new window

in above StringBuilder example why ; is not in double quotes?

same question i have with StringBuilder as well
StringBuilder sbSql
    = new StringBuilder("Insert Into Users (name, email, pass, address)");
sbSql.append(" values ('").append(user.getName());
sbSql.append("', '").append(user.getEmail());
sbSql.append("', '").append(user.getPass());
sbSql.append("', '").append(user.getAddress());
String sql = sbSql.toString();

why we need to do toString only in case of StringBuilder

also what it mean by String builder not thread safe and string buffere thread safe

any example or link to prove this theory into practical?
Please advise
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
The SQL statement needs to be a String, therefore when you finish with your StringBuilder you call the toString() method (StringBuilder is not a String).

Thread safe means that it is safe to call StringBuffer from multiple threads, while this is not tru for StringBuilder. If you call StringBuilder from multiple threads, each thread might have diffrent result that it is expected.
ste5anSenior Developer
Because it is a poor example for the usage of StringBuilder.

We use parameterized queries instead of string fiddling to avoid SQL injection in the first place. Also parameterized queries can be run as prepared queries having better performance.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial