发表新帖
发表新帖

Using Prepared Statements to set Table Name

后端 未结
关注
7 1825
生来不讨喜
生来不讨喜 2020-11-22 11:57

I\'m trying to use prepared statements to set a table name to select data from, but I keep getting an error when I execute the query.

The error and sample code is di

相关标签:
7条回答
  • 旧时难觅i
    2020-11-22 12:06

    I'm not sure you can use a PreparedStatement to specify the name of the table, just the value of some fields. Anyway, you could try the same query but, without the brackets:

    "SELECT plantID, edrman, plant, vaxnode FROM ?"
    0 讨论(0)
  • 遇见更好的自我
    2020-11-22 12:12

    A table name can't be used as a parameter. It must be hard coded. So you can do something like:

    private String query1 = "SELECT plantID, edrman, plant, vaxnode FROM [" + reportDate + "?]";
    0 讨论(0)
  • 夕颜
    2020-11-22 12:17

    If you need a solution which is not vulnerable to SQL injection, you have to duplicate the query for all tables you need:

    final static String QUERIES = {
    "SELECT x FROM Table1 x WHERE a=:a AND b=:b AND ...",
    "SELECT x FROM Table2 x WHERE a=:a AND b=:b AND ...",
    "SELECT x FROM Table3 x WHERE a=:a AND b=:b AND ...",
    ...
};

    And yes: the queries are duplicates and only the table name differs.

    Now you simply select the query that fits your table, e.g. like

    ...
PreparedStatement st = conn.prepareStatement(QUERIES[index]);
...

    You can use this approach wich JPA, Hibernate, whatever...

    If you want a more verbose approach consider using an enum like

    enum AQuery {
    Table1("SELECT x FROM Table1 x WHERE a=:a AND b=:b AND ..."),
    Table2("SELECT x FROM Table2 x WHERE a=:a AND b=:b AND ..."),
    Table3("SELECT x FROM Table3 x WHERE a=:a AND b=:b AND ..."),
    ...

    private final String query;
    AQuery(final String query) {
        this.query = query;
    }

    public String getQuery() {
        return query;
    }
}

    Now use the either an index

    String sql = AQuery.values()[index].getQuery();
PreparedStatement st = conn.prepareStatement(sql);
...

    Or use a table name

    String sql = AQuery.valueOf("Table1").getQuery();
PreparedStatement st = conn.prepareStatement(sql);
...
    0 讨论(0)
  • 你的背包
    2020-11-22 12:22

    This might help:

    public ResultSet getSomething(String tableName) {

PreparedStatement ps = conn.prepareStatement("select * from \`"+tableName+"\`");
ResultSet rs = ps.executeQuery();
}
    0 讨论(0)
  • 隐瞒了意图╮
    2020-11-22 12:23 
    String table="pass"; 

String st="select * from " + table + " ";

PreparedStatement ps=con.prepareStatement(st);

ResultSet rs = ps.executeQuery();
    0 讨论(0)
  • 天涯浪人
    2020-11-22 12:24

    As a number of people have said, you can't use a statement parameter for a table name, only for variables as part of the condition.

    Based on the fact you have a variable table name with (at least) two table names, perhaps it would be best to create a method which takes the entity you are storing and returns a prepared statement.

    PreparedStatement p = createStatement(table);
    0 讨论(0)
 看不清?
提交回复
热议问题