Using Java Prepared Statements
Posted on 2008-11-02
I'm trying to create a dynamic SQL query using Java. I've been told that prepared statements are the way to go since normal SQL statements can be a security risk.
My understanding of prepared statements is that I can create a statement like:
String sql = "SELECT * FROM myTable T WHERE T.attribute = ?";
PreparedStatement stmt = myconnection.prepareStatement(sql);
Then I can set ? at run time using
My question is centered around what is fair game for the ? replacement. I've only ever seen it used in the WHERE clause (or in the values for an insert or update). For example, can I choose the table in the FROM clause or selection criteria in the SELECT at run time?
I'm trying to understand how flexible prepared statements are.
Thanks for any comments!