However, be sure to do proper validation of the table name to prevent the sql injection. As table name cannot be bind into the query, you must validate it. The best validation would be to verify that a table with that name actually exists in the database. If the verification means running another query, make sure to bind the value in this case.
Joined: Jul 15, 2011
Thank you. The statement works. Could you please indicate a reading about validation and injection?
Giuseppa Cefalu wrote:Thank you. The statement works. Could you please indicate a reading about validation and injection?
Search on the internet for "sql injection". There are many discussions also here on Javaranch and generally on the internet. Try to read a few articles and come back with specific questions if it is still unclear.
subject: using a java variable to store database table name