File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JDBC and Relational Databases and the fly likes RE: stmt.ExecuteQuery question Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "RE: stmt.ExecuteQuery question" Watch "RE: stmt.ExecuteQuery question" New topic

RE: stmt.ExecuteQuery question

Jeff Foflygen

Joined: Mar 12, 2009
Posts: 12

Is it possible to call a file with pre-determined queries specific to the application and list them in a drop down? My code right now, you select the schema, then in the next drop down list you select the table within that schema;

Could I lock down in code 1 schema only and then from the + selectTable portion call a file(s) instead of selectTables? I hope this makes sense.

Thanks for any help!
Scott Selikoff
Saloon Keeper

Joined: Oct 23, 2005
Posts: 3753

Sure just make "selectTable" an input parameters. Two concerns though:

1) Might be exposing too much to the outside world if those table names can come directly from a drop down. Large possibility for SQL injection here. More likely, you'd have the drop down send an integer value (0, 1, 2, 3,etc) then have the java code select the table based on this value, preventing someone from entering an arbitrary table name.

2) Can't use a PreparedStatement to set the table name (in general), can only be used to set field values.

More often in these situations you find a list of the tables the person might want to access and write a query for each. It gives JDBC/Java a lot tighter control over the database. Any situation where the user can enter their own database table tends to fall into the 'database on top of a database' anti-pattern and be potentially susceptible to massive SQL injection.

[OCA 8 Book] [Blog]
I agree. Here's the link:
subject: RE: stmt.ExecuteQuery question
It's not a secret anymore!