aspose file tools*
The moose likes JDBC and the fly likes RE: stmt.ExecuteQuery question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "RE: stmt.ExecuteQuery question" Watch "RE: stmt.ExecuteQuery question" New topic
Author

RE: stmt.ExecuteQuery question

Jeff Foflygen
Greenhorn

Joined: Mar 12, 2009
Posts: 12
Hello,

Is it possible to call a file with pre-determined queries specific to the application and list them in a drop down? My code right now, you select the schema, then in the next drop down list you select the table within that schema;

Could I lock down in code 1 schema only and then from the + selectTable portion call a file(s) instead of selectTables? I hope this makes sense.

Thanks for any help!
Scott Selikoff
author
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3716
    
    5

Sure just make "selectTable" an input parameters. Two concerns though:

1) Might be exposing too much to the outside world if those table names can come directly from a drop down. Large possibility for SQL injection here. More likely, you'd have the drop down send an integer value (0, 1, 2, 3,etc) then have the java code select the table based on this value, preventing someone from entering an arbitrary table name.

2) Can't use a PreparedStatement to set the table name (in general), can only be used to set field values.

More often in these situations you find a list of the tables the person might want to access and write a query for each. It gives JDBC/Java a lot tighter control over the database. Any situation where the user can enter their own database table tends to fall into the 'database on top of a database' anti-pattern and be potentially susceptible to massive SQL injection.


My Blog: Down Home Country Coding with Scott Selikoff
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: RE: stmt.ExecuteQuery question