2

Let's say I have a table with 3 columns: C1, C2, C3

I make a search based on the C1 column. Could I make something similar like this (this is not working - because this is not the way prepareStatement it's used:) )

String c;// the name of the column ... String sql = "select * from table where ? = ?"; pre = con.prepareStatement(sql); pre.setString(1, c); pre.setString(1, i); rs = pre.executeQuery();

The main idea, I don't want to have 3 ifs for every column. An elegant solution?

Improve this question
1
  • shouldnt that be ..... pre.setString(1, 'c1'); pre.setString(2, i); Commented Oct 3, 2009 at 22:15

4 Answers 4

Reset to default
3

This won't work. The prepare statement parses the SQL, sends to the database for validation and compilation. If question marks could substitute parts of the SQL, you would loose the whole point of bound variables - speed and security. You would reintroduce SQL injection back and statements will have to be recompiled for all parameters.

Wouldn't something like SELECT * FROM table WHERE c1 = ? OR c2 = ? OR c3 = ? be better (of course depending on indexes and table sizes).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

you could code up a a set of sql queries and store them in a map, then grab one based on the column in question.

enum column { a, b, c} Map<column, string> str; static { str.put(a, "select * from tbl where a = ? "); ... }

then just grab one out of the map later based on the enum. String appends in sql statements have a way of becoming security problems in the future.

Improve this answer

Comments

0

Use a dynamic query and a java.sql.Statement:

String whereClause = c + " = " + i; // Form the dynamic Query StringBuffer query = new StringBuffer( "SELECT * FROM TABLE" ); // Add WHERE clause if any query.append(" WHERE " + whereClause); // Create a SQL statement context to execute the Query Statement stmt = con.createStatement(); // Execute the formed query and obtain the ResultSet ResultSet resultSet = stmt.executeQuery(query.toString());
Improve this answer

1 Comment

just be careful with this because it can lead to sql injection
0

can't you do this:

String c;// the name of the column ... String sql = "select * from table where " + c + " = ?"; pre = con.prepareStatement(sql); pre.setString(1, i); rs = pre.executeQuery();

?

If not then this might be a solution:

String c;// the name of the column ... String sql = "select * from table where ('C1' = ? AND C1 = ?) OR ('C2' = ? AND C2 = ?) OR ('C3' = ? AND C3 = ?)" pre = con.prepareStatement(sql); pre.setString(1, c); pre.setString(2, i); pre.setString(3, c); pre.setString(4, i); pre.setString(5, c); pre.setString(6, i); rs = pre.executeQuery();
Improve this answer

2 Comments

I know. I wrote in the question. :)
havn't seen the update; I deleted the part about passing col names to a PreparedStatement.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.