参数无法在Java中运行的SQLite查询

Question

I have a program that selects from a database given a table and column string.

public void selectAllFrom(String table, String column){
        String sql = "SELECT ? FROM ?";

        try (Connection conn = this.connect();
             PreparedStatement pstmt  = conn.prepareStatement(sql)){
            pstmt.setString(1, column);
            pstmt.setString(2, table);

            ResultSet rs = pstmt.executeQuery();

            while (rs.next()){
                System.out.println(rs.getString(column));
            }

        } catch (SQLException e){
            System.out.println(" select didn't work");
            System.out.println(e.getMessage());
        }
    }

For some reason it is not working and it is going right to catch

Here is the connect() function as well:

private Connection connect(){
    Connection conn = null;
    // SQLite connection string
    String url = "jdbc:sqlite:C:/sqlite/db/chinook.db";

    try{
    // creates connection to the database
    conn = DriverManager.getConnection(url);
    System.out.println("Connection to SQLite has been established");
    } catch (SQLException e){
        System.out.println(e.getMessage());
        System.out.println("Connection didn't work");
    } 

    return conn;
}

I know the problem is not with the database because I'm able to run other select queries without parameters. It is the parameters that are giving me the problem. Can anyone tell what the problem is?

Answer 1

A table or column name can't be used as a parameter to PreparedStatement. It must be hard coded.

String sql = "SELECT " + column + " FROM " + table;

You should reconsider the design so as to make these two constant and parameterize the column values.

Answer 2

? is a place holder to indicate a bind variable. When a SQL statement is executed, database first checks syntax, and validates the objects being referenced, columns and access permission for specified objects (ie metadata about objects) and confirms that all are in place and valid. This stage is called parsing.

Post parsing, it substitutes bind variables to query and then proceeds for actual fetch of results.

Bind variables can be substituted in any place in query to replace an actual hard coded data/strings, but not the query constructs them selves. It means

• You can not use bind variables for keywords of sql query (ex: SELECT, UPDATE etc.)
• You can not use bind variables for objects or their attributes (ie table names, column names, functions, procedures etc.)
• You can use them only in place of a otherwise hard coded data.

ex: SELECT FIRST_NAME, LAST_NAME, 'N' IS_DELETED FROM USER_DATA WHERE COUNTRY ='CANADA' AND VERIFIED_USER='YES' In above sample query, 'N' , 'CANADA' and 'YES' are the only strings which can be replaced by a bind variable, not any other word.

Using bind variable is best practice of coding. It improves query performance (when used with large no. of queries in tuned database products like Oracle or MSSQL) and also protects your code against sql injection attacks.

Constructing query by concatenating strings (especially data part of query) is never recommended way. You can still construct a query by concatenation for other parts like table name or column name as long as those strings are not directly taken from input.

Below example is acceptable:

query = "Select transaction_id, transaction_date from ";
if (isHistorical(reportType) 
   { query = query + "HISTORY_TRANSACTIONS" ;}
else
   {query = query + "PRESENT_TRANSACTIONS" ; }

recommended practice is to use

String query_present = "SELECT transaction_id, transaction_date from PRESENT_TRANSACTIONS";
String query_historical = "SELECT transaction_id, transaction_date from HISTORY_TRANSACTIONS";

if (isHisotrical(reportType))
 { 
    ps.executeQuery(query_historical);
 }else{
    ps.executeQuery(query_present);
 }