In PreparedStatement table name can vary

I want to make preparedstatement which has query like
"select * from ?"
? is the table name which can vary .Is this possible because when i try to do it gives error .
Can we see the query which preparedstatement sent to databasee.
Thanks

I want to make preparedstatement which has query like
"select * from ?"

It's not possible.
You can bind column values, but not table names or column names in a PreparedStatement.

Regards, Jan

Its because the nature of PreparedStatement and how it works.

The PreparedStatement gives you an advantage over the normal Statement object in such a way that it binds and compiles the query (precompilation) against a table and column(s) which are involved.

Because of which the time taken to compile is reduced everytime you execute the query since you can just change the values at runtime which really does not involve the resource expensive entities in database.

Hi dmay chug

In the preparedstatement table name should be vary

Can you try like this ??

First pass the query in the string and pass the table in the another string like this

String varytable=get from the object like from jsp, servlet or ejb

String sql="select * from '"+varytable +"'";
PreparedStatement pst =con.preparedStatement(sql,1004,1007);
ResultSet rs = pst.executeQuery();

Check and tell your feed back regarding this.

Rgs
k.krishnamoorthy

Originally posted by dmay chug:

....Can we see the query which preparedstatement sent to databasee.

Yes, if you could print out the prepared statement object in your log or SOP, it will give you the statement being sent to JDBC.

Originally posted by krishnamoorthy kitcha:
Hi dmay chug

In the preparedstatement table name should be vary

Can you try like this ??

First pass the query in the string and pass the table in the another string like this

String varytable=get from the object like from jsp, servlet or ejb

String sql="select * from '"+varytable +"'";
PreparedStatement pst =con.preparedStatement(sql,1004,1007);
ResultSet rs = pst.executeQuery();

Check and tell your feed back regarding this.

Rgs
k.krishnamoorthy

Can it not make my application vulnerable to sql injection attack.
Thanks

Originally posted by Raghavan Muthu:
... in your log or SOP...

Raghavan, what is a SOP?
Regards, Jan

Originally posted by Jan Cumps:
what is a SOP?

System.out.println

Originally posted by dmay chug:
Can it not make my application vulnerable to sql injection attack.

It depends on where the data comes from. Don't let the user type in a table name directly. Suppose you had them pick an entry from a list for which table they want to use. After they submit, validate the entry is in fact in the list. That would prevent entering special characters.

Usually users don't know enough about the schema to be involved in picking a table anyway. They have some higher level knowledge which you would have to map to the table name. If you pick it, you know it is valid.

Originally posted by Jan Cumps:
Raghavan, what is a SOP?
Regards, Jan

Sorry for having used the abbrevation. It stands for "System.out.println()" method similar to printf() in C and cout in C++.