Erreur avec une requête paramétrée simple - Java / SQL

Question

Suivre l'une de mes questions précédentes à faire avec Conception de la méthode I étaitconseillé de mettre en œuvre mes requêtes SQL comme une requête paramétrée par opposition à une simple chaîne.

Je n'ai jamais utilisé des requêtes paramétrées avant que j'ai décidé de commencer quelque chose de simple, prenez la relève suivante SELECT ÉTUDE:

String select = "SELECT * FROM ? ";

PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "person");

Cela me donne l'erreur suivante: "[sqlite_error] sql error ou base de données manquante (proche" ": erreur de syntaxe)"

J'ai ensuite essayé une version modifiée qui a des critères supplémentaires;

String select = "SELECT id FROM person WHERE name = ? ";

PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "Yui");

Cette version fonctionne bien, dans mon premier exemple, je manque le point de requêtes paramétrées ou je les construisie de manière incorrecte?

merci!

Answer 1

Simply put, SQL binds can't bind tables, only where clause values. There are some under-the-hood technical reasons for this related to "compiling" prepared SQL statements. In general, parameterized queries was designed to make SQL more secure by preventing SQL injection and it had a side benefit of making queries more "modular" as well but not to the extent of being able to dynamically set a table name (since it's assumed you already know what the table is going to be).

Answer 2

If you want all rows from PERSON table, here is what you should do:

String select = "SELECT * FROM person";

PreparedStatement ps = connection.prepareStatement(select);

Variable binding does not dynamically bind table names as others mentioned above. If you have the table name coming in to your method as a variable, you may construct the whole query as below:

String select = "SELECT * FROM " + varTableName;
PreparedStatement ps = connection.prepareStatement(select);

Parameterized queries are for querying field names - not the table name!

Answer 3

Prepared statements are still SQL and need to be constructed with the appropriate where clause; i.e. where x = y. One of their advantages is they are parsed by the RDMS when first seen, rather than every time they are sent, which speeds up subsequent executions of the same query with different bind values.