Using PrepareStatement to get data with configurable table name

Question

I'm trying to get some data from Oracle 11.2 using java and jdbc driver.

My goal is to get data from database using CallableStatement, but with no luck - I'm not able to put table name as parameter. I would like to have configurable table name in query. However, it would be good to keep it sanitized.

Here is an example..

public void getData() throws SQLException {

    Connection conn = Config.getSQLConnection();
    String query = "SELECT * FROM ?";
    PreparedStatement st = conn.prepareStatement(query);
    st.setString(1, Config.DATATABLE_NAME);
    ResultSet rs = st.executeQuery();

    if (rs.next()) {
        System.out.println("SUCCESS");
        System.out.println("ID:" + rs.getString("ID"));
    } else {
        System.out.println("FAILURE");
    }
}

Is this the way it should work? Or am I missing something, or misused it?

Answer 1

A CallableStatement is used to make call to stored procedures.

From javadoc :

The interface used to execute SQL stored procedures

Use a PreparedStament instead for a normal select.

As an additional note don't pass the name of the table as parameter. Create the query using concatenation.

Instead of

String query = "SELECT * FROM ?";

use

String query = "SELECT * FROM " + Config.DATATABLE_NAME;

Answer 2

You should use PreparedStatement instead of CallableStatement. CallableStatement is an interface which is used to call stored procedures.