ansaurus

Question

MySQL-JDBC Question: Can I use the column name as parameter?

Answer 1

A:

i think it shouldnt be a problem as it works with the position of the placeholder , so this should work if u have the i variable defined above it.

pre.setString(1, "c1");
pre.setString(2, i);

Sabeen Malik 2009-10-03 22:19:33

should be double quotes around c1

Nathan Feger 2009-10-03 23:11:06

Answer 2

A:

can't you do this:

String c;// the name of the column

...    
String sql = "select * from table where " + c + "  = ?";
                pre = con.prepareStatement(sql);
                pre.setString(1, i);
                rs = pre.executeQuery();

?

If not then this might be a solution:

String c;// the name of the column

...    
String sql = "select * from table where ('C1' = ? AND C1 = ?) 
                                     OR ('C2' = ? AND C2 = ?) 
                                     OR ('C3' = ? AND C3 = ?)"
                pre = con.prepareStatement(sql);
                pre.setString(1, c);
                pre.setString(2, i);
                pre.setString(3, c);
                pre.setString(4, i);
                pre.setString(5, c);
                pre.setString(6, i);
                rs = pre.executeQuery();

najmeddine 2009-10-03 22:25:16

I know. I wrote in the question. :)

cc 2009-10-03 22:28:25

havn't seen the update; I deleted the part about passing col names to a PreparedStatement.

najmeddine 2009-10-03 23:12:01

Answer 3

A:

This won't work. The prepare statement parses the SQL, sends to the database for validation and compilation. If question marks could substitute parts of the SQL, you would loose the whole point of bound variables - speed and security. You would reintroduce SQL injection back and statements will have to be recompiled for all parameters.

Wouldn't something like SELECT * FROM table WHERE c1 = ? OR c2 = ? OR c3 = ? be better (of course depending on indexes and table sizes).

Petr Topol 2009-10-03 22:30:25

Answer 4

A:

Use a dynamic query and a java.sql.Statement:

String whereClause = c + " = " + i;

// Form the dynamic Query
StringBuffer query = new StringBuffer( "SELECT * FROM TABLE" ); 
// Add WHERE clause if any
query.append(" WHERE " + whereClause);

// Create a SQL statement context to execute the Query
Statement stmt = con.createStatement();

// Execute the formed query and obtain the ResultSet
ResultSet resultSet = stmt.executeQuery(query.toString());

Pascal Thivent 2009-10-03 22:48:53

just be careful with this because it can lead to sql injection

Nathan Feger 2009-10-03 23:14:44

Answer 5

A:

you could code up a a set of sql queries and store them in a map, then grab one based on the column in question.

enum column { a, b, c}

Map<column, string> str;

static {
 str.put(a, "select * from tbl where a = ? ");
 ...
}

then just grab one out of the map later based on the enum. String appends in sql statements have a way of becoming security problems in the future.

Nathan Feger 2009-10-03 23:17:10

ansaurus

tags:

views:

answers:

MySQL-JDBC Question: Can I use the column name as parameter?

related questions