views:

89

answers:

2

I wanted to know of some way to create table on the fly based on user input(SQL Prepared Statement)

CREATE TABLE ? (
  First_Name char(50),
  Last_Name char(50)
)

What should i put in place of question mark

+6  A: 

PreparedStatement placeholders are not intended for table names nor column names, they are only intended for actual column values.

So you would have to create the (prepared) statement string dynamically, which means your application will be vulnerable to SQL injection. Depending on how the application is supposed to be used - and by who - this could be a BIG problem.

Related question

Pascal Thivent
OMG Ponies
@OMG Indeed, and it makes sense IMHO.
Pascal Thivent
+1  A: 

As the other answers point out, you cannot use prepared statement in this case, as replacement of table names is not supported in most DBMS.

However, I'd like to point out that choosing a table name based on user input seems like a bad idea. How do you prevent duplicates, or invalid names?

Why does the table name matter?

sleske
He might be implementing a "Create Table" wizard for some TOAD-like tool
gpeche