Query Parameters and Variable Column Names
In Java, using JDBC prepared statements, one may encounter a scenario where dynamic column names need to be specified in a query. Unfortunately, it is not possible to directly set column names as prepared statement values, as they expect column values instead.
Attempts to specify column names as values result in queries like:
SELECT a,b,c,'d,e,f' FROM some_table WHERE d='x'
The desired query, however, would be:
SELECT a,b,c,d,e,f FROM some_table WHERE d='x'
Solution and Considerations
It is advised against using variable column names in this manner as it can lead to database design issues and increase the risk of SQL injection vulnerabilities. Instead, consider creating a dedicated database column to hold these "column names" and store the data accordingly.
If you still require variable column names, a workaround is to sanitize the input, build the SQL string manually, quote the column names, and escape quotes within the names using String#replace(). Remember that this approach persists the potential for SQL injection vulnerabilities, so sanitization is crucial.
The above is the detailed content of How Can I Handle Dynamic Column Names in JDBC Prepared Statements?. For more information, please follow other related articles on the PHP Chinese website!
what is mysql index
What is highlighting in jquery
Ethereum browser blockchain query
How to retrieve Douyin flames after they are gone?
How to solve the problem of 400 bad request when the web page displays
Commonly used search tools
Free software for building websites
What is the basic concept of artificial intelligence
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
