Analyse following code public void dummyFunction(String var1,String var2){ try{ Connection con=getConnection(); String query=”select * from table1 where col1=”+var1 +”and col2=”+var2; Statement st=conn.createStatement(); ResultSet rs=st.executeQuery(query); …… ….. } catch(Exception e) { } } var1 and var2 are inputs from user directly passed to this functions.