Reputation: 2831
PreparedStatements with DDL
I am creating a program to upload a bunch of database comments to tables and columns from an input file.
I started using prepared-statements but then quickly realized that wouldn't work for DDL statements.
I am essentially changing the sql statement on a table comment for each table name and its description:
"comment on table " + name.trim() + " is " + "'" + description.trim() + "'";
same for column comments.
There is no alternative for using a prepared statement on this correct? Also, is this vulnerable to sql injection?
Upvotes: 2
Views: 953
Answers (1)
Reputation: 4784
This is not so much a JDBC issue as a database issue. Databases do not allow you to prepare DDL, since there is not much potential for reuse. Most of the time, the reason you would want to prepare a statement is if there is reuse potential. DDL is mostly for one-off use, to set up the schema for an application. (Note my use of "most of the time" and "mostly" to indicate the most common use case.)
Also, in general, if you construct a SQL or DDL statement using string concatenation, you are opening yourself not just only to SQL injection, but other problems like syntax errors, escaping of characters, and so on. So, better practice is to have your DDL outside of your main application logic. Is this possible in your case?
Upvotes: 3
Related Questions
- Can we use DDL Commands in a prepared statement (PostgreSQL)?
- How to use PreparedStatement with JDBC
- Prepared statement as sql parameter
- PreparedStatement
- Prepared Statement Parameter Problems
- Use PreparedStatement to build a query
- sql query execute with PreparedStatement
- What's the correct way to use PreparedStatement in java?
- Query from PreparedStatement
- Prepared Statements and JDBC Drivers