I write java program with mysql database. If in mysql database is not exist then program's function creates it by getting values from text-fields.
Here i write function for create database which can holds tables in future.
Problem is when i enter database name equal to 'mysql keywords' like add, as, by.....
I get com.mysql.jdbc.exceptions.MySQLSyntaxErrorException
By reading various forums i get little bit idea about sql injection so i tried preparestatement also.
I tried as below:-
But i got same exception.
Can any one help me how i can avoid exception if from string databasename getting values as mysql keywords...there are almost 230 keywords.
I found various examples to avoid exception if database exist or table exist but at time of database creation example i can not find.
Till someone give me clue i will trying...if i found way then i will post here...Hope this will be easy...
Millions saw the apple fall, but Newton asked why.
Generally only constant literals can be parametrized (replaced by a question mark in PreparedStatement). Table names, column names and, as it seems, database names (among other things such as keywords) cannot be parametrized, for various reasons. One of the reasons probably is that this could make the PreparedStatement vulnerable to some forms of SQL injection.
I don't use MySQL, but it appears that the correct way would be to enclose the database name in back ticks (`)
However, it is probably not a good idea to have a database name that is also a reserved word. Why would you want to do it? If the database name comes from a user, a possible workaround could be to use a constant prefix that would ensure that the resulting database name is not a reserved word.
No, you cannot parametrize the database name in any way. You must put in the database name, and if it is a reserved word, enclosing it in reverse apostrophes might help (I don't know this for sure, I don't use MySQL).
Question marks can be used only instead of literals - string, numeric or date/time constants. And when they are used instead of strings, you don't enclose them in quotes. A question mark is enclosed in quotes does not represent a parameter in PreparedStatement. This is why you got the error - the statement actually had no parameters at all.
Live a little! The night is young! And we have umbrellas in our drinks! This umbrella has a tiny ad: