I wanted to know of some way to create table on the fly based on user input(SQL Prepared Statement)
CREATE TABLE ? (
First_Name char(50),
Last_Name char(50)
)
What should i put in place of question mark
views:
89answers:
2
+6
A:
PreparedStatement placeholders are not intended for table names nor column names, they are only intended for actual column values.
So you would have to create the (prepared) statement string dynamically, which means your application will be vulnerable to SQL injection. Depending on how the application is supposed to be used - and by who - this could be a BIG problem.
Related question
Pascal Thivent
2010-09-07 03:55:09
OMG Ponies
2010-09-07 03:58:48
@OMG Indeed, and it makes sense IMHO.
Pascal Thivent
2010-09-07 04:27:09
+1
A:
As the other answers point out, you cannot use prepared statement in this case, as replacement of table names is not supported in most DBMS.
However, I'd like to point out that choosing a table name based on user input seems like a bad idea. How do you prevent duplicates, or invalid names?
Why does the table name matter?
sleske
2010-09-07 04:04:53