Liam
Reputation: 33
Query returning sql string with wrong parameters
I am currently working on fixing some SQL injection bugs in my project.
Here is my current sql string:
String sql = "select * from :table order by storenum";
Here is how I am setting the parameters:
SQLQuery query = sess.createSQLQuery(sql).setParameter("table", table);
(table is a string that is passed in through a method)
Whenever I run the program I get something like this:
select * from ? order by storenum
Upvotes: 1
Views: 33
Answers (1)
Mureinik
Reputation: 312056
You can't dynamically bind table names, only values, so you'll have to resort to string manipulation/concatenation to get the table name dynamically. However, you would probably want to escape it to avoid SQL Injections.
Upvotes: 2
Related Questions
- incorrect @query in spring boot
- Why does this native query work when hardcoded but not with @Param?
- Springboot getting results via two parameters error
- Query Paramteters not being set properly in Spring
- JPA Query Returning Same Result for different Parameter
- Query in Spring Boot returns null values
- Why is the first Query working and the second not? (Spring application JPA)
- Bad query to database with spring boot
- incorrect sql query generated by spring data jpa
- JPQL query not returning expected results