Syntax error trying to create an sql table from Java

Question

I want to create a table and this table's name will be inserted from a textfield. However when I run the query it's giving me an error, any help on this one? I'll paste the code here:

public boolean CreateTable() {
  TableNumber = jTextField4.getText();

  try {            
    String password = null;
    String s = "CREATE TABLE '"+TableNumber+ "' (Item char(50),Price char(50))";

    ConnectionForOrders();
    stmt = conn.createStatement();
    stmt.executeUpdate(s);

    boolean f = false;
    ConnectionForOrdersclose();

Answer 1

Is TableNumber well...a number? If it is, it's probably causing a syntax error.

Answer 2

Looks like the apostrophe and quotation mark are inverted around TableNumber (the right side), which would produce a compiler error.

Answer 3

I'll start by assuming your '" gaff is a typo because it shouldn't even compile that way (I edited the question to fix it for those that come later).

That aside, you don't enclose tables names in single quotes. It's not:

CREATE TABLE 'tablename' ( ... )

You just write:

CREATE TABLE tablename ( ... )

But you shouldn't even do that much, because you're getting your tablename from a text field. What's to prevent someone from entering something like this in that text field:

a(b int);DROP TABLE users;--

(Assuming of course that you have a users table somewhere). It's important to remember that an attacker could enter any arbitrary sql after that first ;, and your database will blindly run it.

Answer 4

Check this link: HOW TO: SQL & JAVA for details on how to connect to SQL Server database from Java database applications as well as C#.NET database applications. It also describes how to pass embedded SQL queries, calling stored procedures, pass parameter etc.