Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

RE: stmt.ExecuteQuery question  RSS feed

 
Jeff Foflygen
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

Is it possible to call a file with pre-determined queries specific to the application and list them in a drop down? My code right now, you select the schema, then in the next drop down list you select the table within that schema;

Could I lock down in code 1 schema only and then from the + selectTable portion call a file(s) instead of selectTables? I hope this makes sense.

Thanks for any help!
 
Scott Selikoff
author
Bartender
Posts: 4093
21
Eclipse IDE Flex Google Web Toolkit
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sure just make "selectTable" an input parameters. Two concerns though:

1) Might be exposing too much to the outside world if those table names can come directly from a drop down. Large possibility for SQL injection here. More likely, you'd have the drop down send an integer value (0, 1, 2, 3,etc) then have the java code select the table based on this value, preventing someone from entering an arbitrary table name.

2) Can't use a PreparedStatement to set the table name (in general), can only be used to set field values.

More often in these situations you find a list of the tables the person might want to access and write a query for each. It gives JDBC/Java a lot tighter control over the database. Any situation where the user can enter their own database table tends to fall into the 'database on top of a database' anti-pattern and be potentially susceptible to massive SQL injection.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!