| Author |
using a java variable to store database table name
|
Giuseppa Cefalu
Ranch Hand
Joined: Jul 15, 2011
Posts: 121
|
|
Hi,
Is there a way to store the table name in a java variable (String tableName = "orders") and that way use the variable in the sql statement instead of using the specific tbale Name? For example:
The code below does not work;
thank you,
|
 |
Martin Vajsar
Bartender
Joined: Aug 22, 2010
Posts: 2332
|
|
Yes, you could do:
(note the double quotes)
However, be sure to do proper validation of the table name to prevent the sql injection. As table name cannot be bind into the query, you must validate it. The best validation would be to verify that a table with that name actually exists in the database. If the verification means running another query, make sure to bind the value in this case.
|
|
Giuseppa Cefalu
Ranch Hand
Joined: Jul 15, 2011
Posts: 121
|
|
Thank you. The statement works. Could you please indicate a reading about validation and injection?
Thanks again
|
|
Martin Vajsar
Bartender
Joined: Aug 22, 2010
Posts: 2332
|
|
Giuseppa Cefalu wrote:Thank you. The statement works. Could you please indicate a reading about validation and injection?
Search on the internet for "sql injection". There are many discussions also here on Javaranch and generally on the internet. Try to read a few articles and come back with specific questions if it is still unclear.
|
|
 |
|
|
subject: using a java variable to store database table name
|
|
|
0
