• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

In PreparedStatement table name can vary

 
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I want to make preparedstatement which has query like
"select * from ?"
? is the table name which can vary .Is this possible because when i try to do it gives error .
Can we see the query which preparedstatement sent to databasee.
Thanks
 
Bartender
Posts: 2661
19
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I want to make preparedstatement which has query like
"select * from ?"

It's not possible.
You can bind column values, but not table names or column names in a PreparedStatement.

Regards, Jan
 
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Its because the nature of PreparedStatement and how it works.

The PreparedStatement gives you an advantage over the normal Statement object in such a way that it binds and compiles the query (precompilation) against a table and column(s) which are involved.

Because of which the time taken to compile is reduced everytime you execute the query since you can just change the values at runtime which really does not involve the resource expensive entities in database.
 
Ranch Hand
Posts: 96
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi dmay chug

In the preparedstatement table name should be vary

Can you try like this ??

First pass the query in the string and pass the table in the another string like this

String varytable=get from the object like from jsp, servlet or ejb

String sql="select * from '"+varytable +"'";
PreparedStatement pst =con.preparedStatement(sql,1004,1007);
ResultSet rs = pst.executeQuery();

Check and tell your feed back regarding this.


Rgs
k.krishnamoorthy
 
Raghavan Muthu
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by dmay chug:

....Can we see the query which preparedstatement sent to databasee.



Yes, if you could print out the prepared statement object in your log or SOP, it will give you the statement being sent to JDBC.
 
amit sharma
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by krishnamoorthy kitcha:
Hi dmay chug

In the preparedstatement table name should be vary

Can you try like this ??

First pass the query in the string and pass the table in the another string like this

String varytable=get from the object like from jsp, servlet or ejb

String sql="select * from '"+varytable +"'";
PreparedStatement pst =con.preparedStatement(sql,1004,1007);
ResultSet rs = pst.executeQuery();

Check and tell your feed back regarding this.


Rgs
k.krishnamoorthy


Can it not make my application vulnerable to sql injection attack.
Thanks
 
Jan Cumps
Bartender
Posts: 2661
19
Netbeans IDE C++ Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Raghavan Muthu:
... in your log or SOP...

Raghavan, what is a SOP?
Regards, Jan
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jan Cumps:
what is a SOP?


System.out.println
 
Jeanne Boyarsky
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by dmay chug:
Can it not make my application vulnerable to sql injection attack.


It depends on where the data comes from. Don't let the user type in a table name directly. Suppose you had them pick an entry from a list for which table they want to use. After they submit, validate the entry is in fact in the list. That would prevent entering special characters.

Usually users don't know enough about the schema to be involved in picking a table anyway. They have some higher level knowledge which you would have to map to the table name. If you pick it, you know it is valid.
 
Raghavan Muthu
Ranch Hand
Posts: 3389
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Jan Cumps:
Raghavan, what is a SOP?
Regards, Jan



Sorry for having used the abbrevation. It stands for "System.out.println()" method similar to printf() in C and cout in C++.
 
You don't know me, but I've been looking all over the world for. Thanks to the help from this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic