Variable column names using prepared statements

by

This indicates a bad DB design. The user shouldn’t need to know about the column names. Create a real DB column which holds those “column names” and store the data along it instead.

And any way, no, you cannot set column names as PreparedStatement values. You can only set column values as PreparedStatement values

If you’d like to continue in this direction, you need to sanitize the column names (to avoid SQL Injection) and concatenate/build the SQL string yourself. Quote the separate column names and use String#replace() to escape the same quote inside the column name.

More Related Contents:

  1. Using setDate in PreparedStatement
  2. How can I get the SQL of a PreparedStatement?
  3. How does a PreparedStatement avoid or prevent SQL injection?
  4. right syntax to use near ‘?’
  5. How to use prepared statement for select query in Java?
  6. Simulate Result set closing failed [closed]
  7. PreparedStatement IN clause alternatives?
  8. Multiple queries executed in java in single statement
  9. Insert & fetch java.time.LocalDate objects to/from an SQL database such as H2
  10. How to execute IN() SQL queries with Spring’s JDBCTemplate effectively?
  11. How do I get the size of a java.sql.ResultSet?
  12. Using “like” wildcard in prepared statement
  13. Get query from java.sql.PreparedStatement [duplicate]
  14. What is the best approach using JDBC for parameterizing an IN clause? [duplicate]
  15. Reusing a PreparedStatement multiple times
  16. Where’s my invalid character (ORA-00911)
  17. MySQL and JDBC with rewriteBatchedStatements=true
  18. Getting java.sql.SQLException: Operation not allowed after ResultSet closed
  19. How does Java’s PreparedStatement work?
  20. JDBC Pagination
  21. Does the preparedStatement avoid SQL injection? [duplicate]
  22. org.postgresql.util.PSQLException: FATAL: sorry, too many clients already
  23. java.sql.SQLException: No suitable driver found for jdbc:mysql://localhost:3306/dbname [duplicate]
  24. Queries returning multiple result sets
  25. dll missing in JDBC
  26. Inserting null to an Integer column using JDBC
  27. MS SQL Exception: Incorrect syntax near ‘@P0’
  28. JDBC Prepared Statement . setDate(….) doesn’t save the time, just the date.. How can I save the time as well?
  29. PreparedStatement and setTimestamp in oracle jdbc
  30. Searching between dates in SQL with JDBC?

Leave a Comment