使用PrepareStatement获取具有可配置表名的数据

Question

I'm trying to get some data from Oracle 11.2 using java and jdbc driver.

My goal is to get data from database using CallableStatement, but with no luck - I'm not able to put table name as parameter. I would like to have configurable table name in query. However, it would be good to keep it sanitized.

Here is an example..

public void getData() throws SQLException {

    Connection conn = Config.getSQLConnection();
    String query = "SELECT * FROM ?";
    PreparedStatement st = conn.prepareStatement(query);
    st.setString(1, Config.DATATABLE_NAME);
    ResultSet rs = st.executeQuery();

    if (rs.next()) {
        System.out.println("SUCCESS");
        System.out.println("ID:" + rs.getString("ID"));
    } else {
        System.out.println("FAILURE");
    }
}

Is this the way it should work? Or am I missing something, or misused it?

Answer 1

A CallableStatement is used to make call to stored procedures.

From javadoc :

The interface used to execute SQL stored procedures

Use a PreparedStament instead for a normal select.

As an additional note don't pass the name of the table as parameter. Create the query using concatenation.

Instead of

String query = "SELECT * FROM ?";

use

String query = "SELECT * FROM " + Config.DATATABLE_NAME;

Answer 2

You should use PreparedStatement instead of CallableStatement. CallableStatement is an interface which is used to call stored procedures.