ansaurus

Question

PreparedStatement.setString() method without quotes

Answer 1

+7 A:

Parameters cannot be used to parameterize the table, or parameterize any database objects. They're mostly used for parameterizing WHERE/HAVING clauses.

To do what you want, you'll need to do the substitution yourself and create a regular statement as needed.

When you use a prepared statement, this is a hint to the database to do up front processing on the statement - e.g. parse the string and possibly determine an execution plan. If the objects used in the query can change dynamically, then the database could not do much up front preparation.

mdma 2010-05-26 23:16:11

To further this, it's not that using setString puts quotes around the strings, because it doesn't (bind variables don't work that way). It's just that you can't use a variable for that part of the query.

Donnie 2010-05-26 23:21:11

Got it, thank you! Would you say using PreparedStatement dosn't make much sense here, given the paramenters are not user entered? I mean it's probably more costly versus using regular Statement. Or should I use PreparedStatement everywhere no matter what?

Slavko 2010-05-26 23:27:33

You can still use a PreparedStatement, just don't try to parameterize the table name - parameterize the 'whoever'. There is some debate over the use of prepared vs regular statements, but I believe the concensus is to use prepared statements unless you discover good reasons not to.

mdma 2010-05-26 23:38:11

Answer 2

+2 A:

Unfortunately you cannot parameterize table names for prepared statements. If desired, you could construct a String and execute it as dynamic SQL.

Zugwalt 2010-05-26 23:20:51

Answer 3

+3 A:

I doubt that your SQL is really infinitely flexible that way. You only have a finite number of tables, so the number of static final Strings to express the SQL you need is finite as well.

Continue to use PreparedStatement and bind your variables. It's totally worth it, especially helpful when avoiding SQL injection problems.

duffymo 2010-05-26 23:35:42

You have obvious not read enough TheDailywtf.com. Having a table per customer(And the number of customers are not bound) is a used anti pattern.

Martin Tilsted 2010-05-27 01:39:21

Apparently not. Thanks for the heads up. 8)

duffymo 2010-05-27 01:52:19

Answer 4

A:

The mistake you did is that you cannot pass the table name as a parameter. You should only pass the values to a SQL Statement.

Ex: If you're wantto :

Select * from LoggedUsers where username='whatever' and privilege='whatever';

then you've to build the PreparedStatement as :

Select * from LoggedUsers where username=? and privilege=?

setString(1, usernameObject);
setString(2, privilegeObject);

The purpose of PreparedStatement is to reduce the difficulty and readability of the database connection code. when the developer has to use so many column values with Statement's instance it's so difficult to put semicolons, commas and plus (concat operator).

I think you're mistakenly wanted to take advantage of it, which is not designed to be....

venJava 2010-06-28 15:10:45

ansaurus

tags:

views:

answers:

PreparedStatement.setString() method without quotes

related questions