在where子句之后从sql查询中提取列名

Question

I've a requirement where I need to pull out data from database. The query is-

SELECT e.Data AS EntityBlob, f.Data AS FpmlBlob 
FROM [Trades.InventoryRecord] ir, EntityBlob e, FpmlBlob f 
WHERE %s AND uid = e.uid AND uid = f.uid

Here %s is the predicate after where clause which user will input from an html form.

User input will be in this form :
1. TradeDate = ' 2013-04-05 ' AND IsLatest = 'TRUE'
2. StreamId= ' IA0015 '
3. The query may have IN clause also

Now when this query is rendered I get exception ambigous column streamId or ambigous column IsLatest, as these columns exists in more than one table with same name. So to remove this ambiguity I need to modify the query as - ir.IsLatest or ir.StreamId

To do so by java code, I need to first parse the predicate after where clause, extract column names and insert table name alias- 'ir' before each column name so that the query becomes -

SELECT e.Data AS EntityBlob, f.Data AS FpmlBlob 
FROM [Trades.InventoryRecord] ir, EntityBlob e, FpmlBlob f 
WHERE ir.TradeDate = '2013-04-05' AND ir.IsLatest = 'TRUE' AND uid = e.uid AND uid = f.uid

what is the best way to parse this predicate, or if there is any other way I can achieve the same result?

Answer 1

My answer to this question is to not parse the user input - there is far too much that can go wrong. It would be a lot better to have a UI with drop downs and buttons for selecting equality, inequality, ranges, in statements, etc. It may seem like more work, but protecting yourself from a SQL injection attack is even more. And even if you are not concerned about malicious SQL injection, then the user still has to get every thing exactly right, or the statement fails.