The quotes shouldn't be int he prepared statement either, but inserting table/column names is a bigger problem. or are you saying your database supports that? If so, which one is it? I've never heard of that.
Daniel Stege Lindsjo
Joined: Jun 28, 2010
I've already made a page that adds users with attributes and it works just fine :P
If however the quotes are not in the statement the SQL call to MYSQL will fail with a syntax error
Could you rewrite the statement then that I may test it?
Some databases/drivers unfortunately support PreparedStatements with table and columns names as parameters BUT often time this is just a fluke. The JDBC driver could escape the value of the column or table name, and the escaped value happens to produce valid SQL. It's extremely dangerous to do though since any change to the driver or database could easily break the query.
For things like this, you really need to build the query yourself with StringBuilder and only apply PreparedStatement parameters to things that are parameters, not tables and columns. I've seen people write JDBC code such as "ORDER BY ?" which happens to work for some drivers, but in general should never work. The query should be resolved as part of building the query string and fed into the PreparedStatement fully formed.