Using PreparedStatement with table name

**abhi7080** · 12-14-2011, 01:59 PM

i want to create a table with prepared statement using table name as parameter can any one help me 4 this?

**pbrockway2** · 12-19-2011, 08:29 AM

moved from another thread...

If you manage to find this abhi7080, welcome to the forum!

**2by4** · 12-19-2011, 11:19 AM

Why not use Statement?

Prepared statements are for repetitive queries. Does your database management system support parameterizing table names in DDL? I doubt it.

Which database system are you using? Unless the driver is simulating prepared statements, I doubt you can achieve what you want. Others may know differently, though. :-)

**JosAH** · 12-19-2011, 11:37 AM

Using a Statement is bad advice; it makes the query vulnerable for SQL injection if it takes parameters. A prepared statement is pre-compiled and knowing the table(s) and/or view(s) at compile time is essential for the query optimizer so you can't pass the table/view name(s) as a parameter in a PreparedStatement.

Jos

**2by4** · 12-19-2011, 11:48 AM

Originally Posted by JosAH

Using a Statement is bad advice; it makes the query vulnerable for SQL injection if it takes parameters. A prepared statement is pre-compiled and knowing the table(s) and/or view(s) at compile time is essential for the query optimizer so you can't pass the table/view name(s) as a parameter in a PreparedStatement.

Jos

You don't know where those parameters are coming from or who the end user is. It could be a file, or a developer who has full access to the database, using the software. So, unless you know the details, best you say "may be a vulnerability", and let the OP decide. :-)

**JosAH** · 12-19-2011, 12:10 PM

Originally Posted by 2by4

You don't know where those parameters are coming from or who the end user is. It could be a file, or a developer who has full access to the database, using the software. So, unless you know the details, best you say "may be a vulnerability", and let the OP decide. :-)

Sure, teach the OP bad habits ... remember: anything that can go wrong, will go wrong. You don't know where those parameters come from either.

Jos

**2by4** · 12-19-2011, 12:16 PM

Originally Posted by JosAH

Sure, teach the OP bad habits ... remember: anything that can go wrong, will go wrong. You don't know where those parameters come from either.

Jos

Sorry, a possibility is never "bad advice". I put forward a suggestion to be used if appropriate, and put it as a question.

Statement is absolutely appropriate in some instances, for example where the program is intended to be used by an administrator.

That's my last word on this before you derail the thread.

**JosAH** · 12-19-2011, 12:21 PM

Ok, goodbye and stop giving bad advice to people new to the subject. You claim to be a Mr. Know-It-All in your replies, but you are not obviously.

Jos

**Tolls** · 12-19-2011, 01:13 PM

I'm not too sure you can bind DDL like this.
Since you can't bind a table name in a DML statement, I would find it a bit odd that you could do it in DDL. And if you can't do that, then it's all a bit moot.

I would be intrigued if anyone has an example.