aspose file tools*
The moose likes JDBC and the fly likes using a java variable to store database table name Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "using a java variable to store database table name" Watch "using a java variable to store database table name" New topic
Author

using a java variable to store database table name

Giuseppa Cefalu
Ranch Hand

Joined: Jul 15, 2011
Posts: 121
Hi,

Is there a way to store the table name in a java variable (String tableName = "orders") and that way use the variable in the sql statement instead of using the specific tbale Name? For example:


The code below does not work;





thank you,

Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3611
    
  60

Yes, you could do:
(note the double quotes)

However, be sure to do proper validation of the table name to prevent the sql injection. As table name cannot be bind into the query, you must validate it. The best validation would be to verify that a table with that name actually exists in the database. If the verification means running another query, make sure to bind the value in this case.
Giuseppa Cefalu
Ranch Hand

Joined: Jul 15, 2011
Posts: 121
Thank you. The statement works. Could you please indicate a reading about validation and injection?

Thanks again
Martin Vajsar
Sheriff

Joined: Aug 22, 2010
Posts: 3611
    
  60

Giuseppa Cefalu wrote:Thank you. The statement works. Could you please indicate a reading about validation and injection?

Search on the internet for "sql injection". There are many discussions also here on Javaranch and generally on the internet. Try to read a few articles and come back with specific questions if it is still unclear.
 
Consider Paul's rocket mass heater.
 
subject: using a java variable to store database table name