Error con una consulta sencilla parametrizada - Java / SQL
https://stackoverflow.com/questions/5491107
-
14-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPregunta
Siguiendo de una de mis preguntas anteriores para hacer con Método de diseño Fuiaconsejó implementar mis consultas SQL como una consulta parametrizada en lugar de una cadena simple.
Nunca he usado las consultas parametrizadas antes, así que decidí comenzar con algo simple, tome la siguiente declaración de selección :
String select = "SELECT * FROM ? ";
PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "person");
Esto me da el siguiente error: "[SQLITE_ERROR] SQL Error o Base de datos faltante (cerca"? ": Error de sintaxis)"
Luego intenté una versión modificada que tiene criterios adicionales;
String select = "SELECT id FROM person WHERE name = ? ";
PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "Yui");
Esta versión funciona bien, en mi primer ejemplo, ¿estoy perdiendo el punto de las consultas parametrizadas o las construyo incorrectamente?
¡Gracias!
Solución
Simply put, SQL binds can't bind tables, only where clause values. There are some under-the-hood technical reasons for this related to "compiling" prepared SQL statements. In general, parameterized queries was designed to make SQL more secure by preventing SQL injection and it had a side benefit of making queries more "modular" as well but not to the extent of being able to dynamically set a table name (since it's assumed you already know what the table is going to be).
Otros consejos
If you want all rows from PERSON table, here is what you should do:
String select = "SELECT * FROM person";
PreparedStatement ps = connection.prepareStatement(select);
Variable binding does not dynamically bind table names as others mentioned above. If you have the table name coming in to your method as a variable, you may construct the whole query as below:
String select = "SELECT * FROM " + varTableName;
PreparedStatement ps = connection.prepareStatement(select);
Parameterized queries are for querying field names - not the table name!
Prepared statements are still SQL and need to be constructed with the appropriate where clause; i.e. where x = y. One of their advantages is they are parsed by the RDMS when first seen, rather than every time they are sent, which speeds up subsequent executions of the same query with different bind values.
