Escaping single quotes in table SQL queries | ansaurus

tags:

java
jdbc

views:

54

answers:

3

Q:

Escaping single quotes in table SQL queries

Using java.sql.Preparedstatement implies the escaping of characters will be done while parsing the queries, this does happen also when I have single quotes in my data but when I have single quotes in my table name itself the query does not work (I am using Oracle 11g).

Here's my code:

Class.forName("oracle.jdbc.OracleDriver");
con = DriverManager.getConnection(
    "jdbc:oracle:thin:client/adept@ind-db-02:1521:ind02");

PreparedStatement preparedStatement = con.prepareStatement(
    "SELECT * FROM (?) where rownum=1");

preparedStatement.setString(1,"CLIENT.\"SR'tab\"");
ResultSet rs3=preparedStatement.executeQuery();

Is there any way of escaping single quotes from the table name using a prepared statement?

+4 A:

PreparedStatement placeholders are not intended for table names nor column names, they are only intended for actual column values. In other words, you are actually misusing PreparedStatement.

See also

Using Prepared Statements

Pascal Thivent 2010-10-01 13:23:00

[Deja vu](http://stackoverflow.com/questions/3655615/sql-prepared-statment-to-create-table) and [here](http://stackoverflow.com/questions/1875049/preparedstatement-not-returning-ordered-resultset/1875136#1875136) :)

BalusC 2010-10-01 13:26:08

@BalusC Yes, indeed, I confess :)

Pascal Thivent 2010-10-01 13:28:47

A:

hi!

Although it is very correct to use bind parameters to pass data to the database, you can not use bind parameters for table names.

In that case, it should be enought to properly quote it.

e.g. (untested):

PreparedStatement preparedStatement=
  con.prepareStatement("SELECT * FROM \"CLIENT.SR'tab\" where rownum=1");

Markus Winand 2010-10-01 13:25:06

This does not work with proper quotes for the table name . i have tried that , reason i suspect for this escapeProcessing is on , when i disable escapeProcessing (JDBC level) + proper quoting then query works fine

sourabh 2010-10-06 06:52:32

+1 A:

I recommend you change those table names now, to prevent agony in the future. The high-powered tools we all use are great but when one colors too far outside the lines, the pain is unending.

Tony Ennis 2010-10-01 13:28:40

related questions

Java Time Zone is messed up

Eclipse on win64

Automate builds for Java RCP for deployment with JNLP

Why are professors or schools picking Java over C++ to teach to students?

Is there a real benefit of using J#?

Public/Popular Websites using JavaServer Faces

Why can't I use a try block around my super() call?

Accessing post variables using Java Servlets

Personal Linux web server

Is this really widening vs autoboxing?

How can I Java webstart multiple, dependent, native libraries?

Why can't I call toString() on a Java primitive?

How do I use Java to read from a file that is actively being written?

What code analysis tools do you use for your Java projects?

IllegalArgumentException or NullPointerException for a null parameter?

How do I configure and communicate with a serial port?

What is the best way to parse strings in Java

Getting started with a custom JXTA PeerGroup

Creating a custom button in Java

How to get started "writing" a code coverage tool?

Which Build-/Configuration Management Tool?

What is the difference between an int and an Integer in Java/C#?

What is the meaning of the type safety warning in certain Java generics casts?

How would you access Object properties from within an object method?

Converting CSV File to XML in Java