tags:

views:

38

answers:

2
+1  Q: 

Variable table or column names.

INFORMIX-SQL or any other SQL-based DB:

Suppose I have an app where depending on the value of some columns, example:

company.code  char(3) {abc}
company.branch char(2) {01}

Can I construct table name "abc01" for inclusion in SELECT * FROM abc01; ? In other words, a variable table name.. same question applies for column names.

+2  A: 

Only in a language which can manipulate character strings and handle Dynamic SQL. It has to create the statement on the fly.

You can only use placeholders in queries for values, not for the structural elements of the query such as the table name or column name.

Jonathan Leffler  2010-06-17 05:14:22
+2  A: 

Only if you use dynamic sql. It's like you build sql code in your app, then use something like execute immediate.

sprintf(cdb_text1, "create table %s (field1 char(3));", usr_db_id);
EXEC SQL execute immediate :cdb_text;

If you use dynamic sql, it's bad because of sql injections.

ksogor  2010-06-17 05:15:16
Dynamic SQL used carelessly can certainly lead to [SQL Injection](http://xkcd.org/327) but simply using Dynamic SQL is not automatically a problem. It depends on how careful you are. This particular example does not matter too much; with a CHAR(3) and a CHAR(2) field holding the 'user data', there is not much scope for mischief (Old "Robert'); DROP TABLE Students; --" simply does not fit in 5 characters.
Jonathan Leffler  2010-06-17 05:26:23
In this case it's not dangerous. But if I use Dynamic SQL I need/would like know, that this possibility exist, right?
ksogor  2010-06-17 05:40:30
If the source of the dynamic values is a user, you need to consider the implications of SQL Injection.If the dynamic aspects of the generated SQL are purely internal business logic to the program, then it's an entirely different matter, and you only need to consider how you deal with unexpected/NULL values appearing in these columns.Having said that, if you find you need to do this, you ought to be casting a very critical eye over your data model. It all sounds very fragile.
RET  2010-06-17 06:05:34
@ksogor- The 'abc01' example are validated values held in a control table used for determining which company/branch system the user will work with.
Frank Computer  2010-06-17 19:14:59

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP