Using Prepared Statements to set Table Name

Question

I'm trying to use prepared statements to set a table name to select data from, but I keep getting an error when I execute the query.

The error and sample code is displayed below.

[Microsoft][ODBC Microsoft Access Driver] Parameter 'Pa_RaM000' specified where a table name is required.



private String query1 = "SELECT plantID, edrman, plant, vaxnode FROM [?]"; //?=date
public Execute(String reportDate){
    try {

        Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
        Connection conn = DriverManager.getConnection(Display.DB_MERC);
        PreparedStatement st = conn.prepareStatement(query1);
        st.setString(1, reportDate);
        ResultSet rs = st.executeQuery();

Any thoughts on what might be causing this?

If you need to substitute different table names into a query with the same structure it points to a flaw in your database design. At the least it points to multiple tables with the same relation attributes. Normalise it into a single table with a "subject" column. — Terrible Tadpole
– Terrible Tadpole, Commented Nov 12, 2015 at 21:43

Mark Rotteveel · Accepted Answer · 2016-07-28 15:43:37Z

39

A table name can't be used as a parameter. It must be hard coded. So you can do something like:

private String query1 = "SELECT plantID, edrman, plant, vaxnode FROM [" + reportDate + "?]";

edited Jul 28, 2016 at 15:43

Mark Rotteveel

110k240 gold badges160 silver badges232 bronze badges

answered Jul 30, 2009 at 18:33

camickr

325k21 gold badges174 silver badges293 bronze badges

Sign up to request clarification or add additional context in comments.

7 Comments

Benvorth Over a year ago

Dont! This is a secuiry issue due to SQL-injection.

Sebas Over a year ago

use org.apache.commons.lang.StringEscapeUtils.escapeSql on the table name to make sure you're not putting your schema at risk.

Benvorth Over a year ago

@everyone suggesting the string-concatenation of the tablename: DONT do it. This give way to SQL-injections - the No 1 attack in OWASPs Top 10 (see owasp.org/index.php/Top_10_2013-Top_10)

Richard Tingle Over a year ago

It goes without saying that if you are going to do this then the tablename must be whitelisted (and you should use the value from the whitelist not the entered value, just to be sure; regexes etc)

Philip Callender Over a year ago

Do not use org.apache.commons.lang.StringEscapeUtils.escapeSql. It was deprecated in commons.lang3, and in any case only replaces single-quotes with double single-quotes. It does not prevent SQL injection. See commons.apache.org/proper/commons-lang/article3_0.html and commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/….

|

Datz · Accepted Answer · 2022-11-29 10:23:37Z

You can't set table name in prepared statement

As said before, it is not possible to set the table name in a prepared statement with ~~preparedStatement.setString(1, tableName)~~. And it is also not possible to add parts of the SQL query to a prepared statement (eg ~~preparedStatement.addSql(" or xyz is null")~~).

How to do it right without risking SQL injections?

The table name must be inserted into the SQL (or JQL) query you want to execute with string operations like "select * from " + tableName or String.format("select * from %s", tableName)

But how to avoid SQL injections?

If the table name does not come from user input, you are probably safe. For example, if you make a decision like here

String tableName;
if(condition) {
    tableName = "animal";
} else {
    tableName = "plant";
}
final String sqlQuery = "delete from " + tableName;
...

If the table name depends on the users input, you need to check the input manually. For example, with a white-list containing all valid table names:

if(!tableNamesWhitelist.contains(tableName)) {
    throw new IllegalArgumentException(tableName + " is not a valid table name");
}
String sqlQuery = "delete from " + tableName;

or with an enum:

public enum Table {
    ANIMAL("animal"),
    PLANT("plant");

    private sqlTableName;
    private TableName(String sqlTableName) {
        this.sqlTableName= sqlTableName;
    }
    public getSqlTableName() {
        return sqlTableName;
    }
}

and then convert the user-input string like ANIMAL into Table.ANIMAL. An exception is thrown, if no fitting enumeration value does exist.

eg

@DeleteMapping("/{table}")
public String deleteByEnum(@PathVariable("table") Table table) {
    final String sqlQuery = "delete from " + table.getSqlTableName();
    ...
}

Of course these examples work with select, update, ... too and a lot of other implementations to check the user input are possible.

mypetlion · Accepted Answer · 2017-07-22 00:14:19Z

1

This is technically possible with a workaround, but very bad practice.

String sql = "IF ? = 99\n";
sql += "SELECT * FROM first_table\n";
sql += "ELSE\n";
sql += "SELECT * FROM second_table";
PreparedStatement ps = con.prepareStatement(sql);

And then when you want to select from first_table you set the parameter with

ps.setInt(1, 99);

Or if not, you set it to something else.

answered Jul 22, 2017 at 0:14

mypetlion

2,5445 gold badges21 silver badges22 bronze badges

Comments

Damien Allison · Accepted Answer · 2016-05-09 16:48:51Z

0

As a number of people have said, you can't use a statement parameter for a table name, only for variables as part of the condition.

Based on the fact you have a variable table name with (at least) two table names, perhaps it would be best to create a method which takes the entity you are storing and returns a prepared statement.

PreparedStatement p = createStatement(table);

answered May 9, 2016 at 16:48

Damien Allison

1094 bronze badges

Comments

ross · Accepted Answer · 2019-06-17 18:00:23Z

-1

This might help:

public ResultSet getSomething(String tableName) {

PreparedStatement ps = conn.prepareStatement("select * from \`"+tableName+"\`");
ResultSet rs = ps.executeQuery();
}

edited Jun 17, 2019 at 18:00

ross

2,7842 gold badges15 silver badges22 bronze badges

answered Jun 17, 2019 at 15:13

Tanvir Singh

215 bronze badges

Comments

Pierre · Accepted Answer · 2009-07-30 18:34:45Z

-3

I'm not sure you can use a PreparedStatement to specify the name of the table, just the value of some fields. Anyway, you could try the same query but, without the brackets:

"SELECT plantID, edrman, plant, vaxnode FROM ?"

answered Jul 30, 2009 at 18:34

Pierre

35.4k33 gold badges120 silver badges197 bronze badges

1 Comment

Brandon Over a year ago

You need brackets to escape "/" in queries...or it might be be for dates. I looked it up last summer

ndsmyter · Accepted Answer · 2015-07-23 11:49:40Z

-3

String table="pass"; 

String st="select * from " + table + " ";

PreparedStatement ps=con.prepareStatement(st);

ResultSet rs = ps.executeQuery();

edited Jul 23, 2015 at 11:49

ndsmyter

6,6453 gold badges24 silver badges38 bronze badges

answered Jan 31, 2014 at 10:28

Anoop

1

2 Comments

Newd Over a year ago

Can you provide some context to your answer, that way future readers can learn how to apply it to their issues and not just in this situation.

Terrible Tadpole Over a year ago

Vulnerable to SQL injection. Do NOT do this!

Collectives™ on Stack Overflow

Using Prepared Statements to set Table Name

7 Answers 7

7 Comments

You can't set table name in prepared statement

How to do it right without risking SQL injections?

But how to avoid SQL injections?

Comments

Comments

Comments

Comments

1 Comment

2 Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

7 Answers 7

7 Comments

You can't set table name in prepared statement

How to do it right without risking SQL injections?

But how to avoid SQL injections?

Comments

Comments

Comments

Comments

1 Comment

2 Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related