Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to use Prepared statements when searching an unknown number of values

 
Mark Wa
Ranch Hand
Posts: 122
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello, I would like to use a prepared statements to do a select statement, however I do not know how many values I would need to compare against until runtime.

The statement would look like this

select * from table where column name like 'value1' or 'value2' or 'value3'

but I do not know how many values I may need to add in as the user will be selecting them. Currently I have built the statement as a string, but I need it to be resisteant against sql injection attacks.

Thanks,
 
Campbell Ritchie
Sheriff
Posts: 48917
58
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch

Have you got such queries working at the command line? Can you display details of tables and their columns so you could choose columns to enter into your statements?
 
Paul Sturrock
Bartender
Posts: 10336
Eclipse IDE Hibernate Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JDBC doesn't have a setArrayOfValues method (this is a driver/database restriction) so you'll have to do it yourself. You'll probably have to build your SQL dynamically (as you would a Statement) and keep track of the values passes to the query criteria then bind them at the end. So two loops should do it. To make things easier you might find that "in" clauses are easier to manage than multiple or conditions.

 
Mark Wa
Ranch Hand
Posts: 122
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Sturrock wrote:JDBC doesn't have a setArrayOfValues method (this is a driver/database restriction) so you'll have to do it yourself. You'll probably have to build your SQL dynamically (as you would a Statement) and keep track of the values passes to the query criteria then bind them at the end. So two loops should do it. To make things easier you might find that "in" clauses are easier to manage than multiple or conditions.



Would this not be inefficient? as a prepared statement is somehow stored, so that the database knows how to best access the data prior to the query being run
 
John Kimball
Ranch Hand
Posts: 96
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The efficiency of the prepared statement really only comes into play if the same SQL query is reused in bulk--that is it needs to be re-used dozens, hundreds, or thousands of times in one session--in which case the same instance of the prepared statement is supposed to be re-used.

 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34378
346
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
See my article on select batching for the JavaRanch Journal. I wrote it in 2005, but it everything in it is still true.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic