Results 1 to 9 of 9
  1. #1
    abhi7080 is offline Member
    Join Date
    Dec 2011
    Location
    india
    Posts
    16
    Rep Power
    0

    Default Using PreparedStatement with table name

    i want to create a table with prepared statement using table name as parameter can any one help me 4 this?

  2. #2
    pbrockway2 is offline Moderator
    Join Date
    Feb 2009
    Location
    New Zealand
    Posts
    4,574
    Rep Power
    12

    Default Re: Using PreparedStatement with table name

    moved from another thread...

    If you manage to find this abhi7080, welcome to the forum!

  3. #3
    2by4 is offline Banned
    Join Date
    Dec 2011
    Posts
    143
    Rep Power
    0

    Default Re: Using PreparedStatement with table name

    Why not use Statement?

    Prepared statements are for repetitive queries. Does your database management system support parameterizing table names in DDL? I doubt it.

    Which database system are you using? Unless the driver is simulating prepared statements, I doubt you can achieve what you want. Others may know differently, though. :-)

  4. #4
    JosAH's Avatar
    JosAH is offline Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,734
    Blog Entries
    7
    Rep Power
    21

    Default Re: Using PreparedStatement with table name

    Using a Statement is bad advice; it makes the query vulnerable for SQL injection if it takes parameters. A prepared statement is pre-compiled and knowing the table(s) and/or view(s) at compile time is essential for the query optimizer so you can't pass the table/view name(s) as a parameter in a PreparedStatement.

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  5. #5
    2by4 is offline Banned
    Join Date
    Dec 2011
    Posts
    143
    Rep Power
    0

    Default Re: Using PreparedStatement with table name

    Quote Originally Posted by JosAH View Post
    Using a Statement is bad advice; it makes the query vulnerable for SQL injection if it takes parameters. A prepared statement is pre-compiled and knowing the table(s) and/or view(s) at compile time is essential for the query optimizer so you can't pass the table/view name(s) as a parameter in a PreparedStatement.

    Jos
    You don't know where those parameters are coming from or who the end user is. It could be a file, or a developer who has full access to the database, using the software. So, unless you know the details, best you say "may be a vulnerability", and let the OP decide. :-)
    Last edited by 2by4; 12-19-2011 at 12:50 PM.

  6. #6
    JosAH's Avatar
    JosAH is offline Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,734
    Blog Entries
    7
    Rep Power
    21

    Default Re: Using PreparedStatement with table name

    Quote Originally Posted by 2by4 View Post
    You don't know where those parameters are coming from or who the end user is. It could be a file, or a developer who has full access to the database, using the software. So, unless you know the details, best you say "may be a vulnerability", and let the OP decide. :-)
    Sure, teach the OP bad habits ... remember: anything that can go wrong, will go wrong. You don't know where those parameters come from either.

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  7. #7
    2by4 is offline Banned
    Join Date
    Dec 2011
    Posts
    143
    Rep Power
    0

    Default Re: Using PreparedStatement with table name

    Quote Originally Posted by JosAH View Post
    Sure, teach the OP bad habits ... remember: anything that can go wrong, will go wrong. You don't know where those parameters come from either.

    Jos
    Sorry, a possibility is never "bad advice". I put forward a suggestion to be used if appropriate, and put it as a question.

    Statement is absolutely appropriate in some instances, for example where the program is intended to be used by an administrator.

    That's my last word on this before you derail the thread.

  8. #8
    JosAH's Avatar
    JosAH is offline Moderator
    Join Date
    Sep 2008
    Location
    Voorschoten, the Netherlands
    Posts
    13,734
    Blog Entries
    7
    Rep Power
    21

    Default Re: Using PreparedStatement with table name

    Ok, goodbye and stop giving bad advice to people new to the subject. You claim to be a Mr. Know-It-All in your replies, but you are not obviously.

    Jos
    cenosillicaphobia: the fear for an empty beer glass

  9. #9
    Tolls is offline Moderator
    Join Date
    Apr 2009
    Posts
    12,184
    Rep Power
    20

    Default Re: Using PreparedStatement with table name

    I'm not too sure you can bind DDL like this.
    Since you can't bind a table name in a DML statement, I would find it a bit odd that you could do it in DDL. And if you can't do that, then it's all a bit moot.

    I would be intrigued if anyone has an example.

Similar Threads

  1. Replies: 1
    Last Post: 09-27-2011, 07:06 AM
  2. Replies: 1
    Last Post: 01-08-2010, 07:19 AM
  3. Replies: 0
    Last Post: 02-09-2008, 09:31 PM
  4. Replies: 0
    Last Post: 02-09-2008, 09:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •