シンプルなパラメータ化クエリのエラー - Java / SQL

Question

前の質問の1つからメソッドDesign 単純な文字列とは対照的に、私のSQLクエリをパラメータ化されたクエリとして実装することをお勧めします。

私はパラメータ化されたクエリを使用したことがないので、簡単なもので始めることにしました、次の select ステートメント：

String select = "SELECT * FROM ? ";

PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "person");

.

これは次のエラーを与えます： "sqlite_error] SQLエラーやデータベースの欠落（近く"？ "：構文エラー）"

その後、追加の基準を持つ修正版を試しました。

String select = "SELECT id FROM person WHERE name = ? ";

PreparedStatement ps = connection.prepareStatement(select);
ps.setString(1, "Yui");

.

このバージョンは、私の最初の例では、パラメータ化されたクエリのポイントが不足しているか、私は正しく構築していますか？

ありがとう！

Answer 1

Simply put, SQL binds can't bind tables, only where clause values. There are some under-the-hood technical reasons for this related to "compiling" prepared SQL statements. In general, parameterized queries was designed to make SQL more secure by preventing SQL injection and it had a side benefit of making queries more "modular" as well but not to the extent of being able to dynamically set a table name (since it's assumed you already know what the table is going to be).

Answer 2

If you want all rows from PERSON table, here is what you should do:

String select = "SELECT * FROM person";

PreparedStatement ps = connection.prepareStatement(select);

Variable binding does not dynamically bind table names as others mentioned above. If you have the table name coming in to your method as a variable, you may construct the whole query as below:

String select = "SELECT * FROM " + varTableName;
PreparedStatement ps = connection.prepareStatement(select);

Parameterized queries are for querying field names - not the table name!

Answer 3

Prepared statements are still SQL and need to be constructed with the appropriate where clause; i.e. where x = y. One of their advantages is they are parsed by the RDMS when first seen, rather than every time they are sent, which speeds up subsequent executions of the same query with different bind values.