This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Little Book of Impediments (e-book only) and have Tom Perry on-line!
See this thread for details.
Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

In PreparedStatement table name can vary

 
amit sharma
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to make preparedstatement which has query like
"select * from ?"
? is the table name which can vary .Is this possible because when i try to do it gives error .
Can we see the query which preparedstatement sent to databasee.
Thanks
 
Jan Cumps
Bartender
Posts: 2608
14
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I want to make preparedstatement which has query like
"select * from ?"
It's not possible.
You can bind column values, but not table names or column names in a PreparedStatement.

Regards, Jan
 
Raghavan Muthu
Ranch Hand
Posts: 3381
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Its because the nature of PreparedStatement and how it works.

The PreparedStatement gives you an advantage over the normal Statement object in such a way that it binds and compiles the query (precompilation) against a table and column(s) which are involved.

Because of which the time taken to compile is reduced everytime you execute the query since you can just change the values at runtime which really does not involve the resource expensive entities in database.
 
krishnamoorthy kitcha
Ranch Hand
Posts: 96
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi dmay chug

In the preparedstatement table name should be vary

Can you try like this ??

First pass the query in the string and pass the table in the another string like this

String varytable=get from the object like from jsp, servlet or ejb

String sql="select * from '"+varytable +"'";
PreparedStatement pst =con.preparedStatement(sql,1004,1007);
ResultSet rs = pst.executeQuery();

Check and tell your feed back regarding this.


Rgs
k.krishnamoorthy
 
Raghavan Muthu
Ranch Hand
Posts: 3381
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by dmay chug:

....Can we see the query which preparedstatement sent to databasee.


Yes, if you could print out the prepared statement object in your log or SOP, it will give you the statement being sent to JDBC.
 
amit sharma
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by krishnamoorthy kitcha:
Hi dmay chug

In the preparedstatement table name should be vary

Can you try like this ??

First pass the query in the string and pass the table in the another string like this

String varytable=get from the object like from jsp, servlet or ejb

String sql="select * from '"+varytable +"'";
PreparedStatement pst =con.preparedStatement(sql,1004,1007);
ResultSet rs = pst.executeQuery();

Check and tell your feed back regarding this.


Rgs
k.krishnamoorthy

Can it not make my application vulnerable to sql injection attack.
Thanks
 
Jan Cumps
Bartender
Posts: 2608
14
C++ Linux Netbeans IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Raghavan Muthu:
... in your log or SOP...
Raghavan, what is a SOP?
Regards, Jan
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jan Cumps:
what is a SOP?

System.out.println
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by dmay chug:
Can it not make my application vulnerable to sql injection attack.

It depends on where the data comes from. Don't let the user type in a table name directly. Suppose you had them pick an entry from a list for which table they want to use. After they submit, validate the entry is in fact in the list. That would prevent entering special characters.

Usually users don't know enough about the schema to be involved in picking a table anyway. They have some higher level knowledge which you would have to map to the table name. If you pick it, you know it is valid.
 
Raghavan Muthu
Ranch Hand
Posts: 3381
Mac MySQL Database Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jan Cumps:
Raghavan, what is a SOP?
Regards, Jan


Sorry for having used the abbrevation. It stands for "System.out.println()" method similar to printf() in C and cout in C++.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic