2

I've been trying to figure out why my prepared statement puts ' before and after my strings. When I try to use this code for my Postgressql database server I get an syntax error. This is because this program processes the code as following :

Imagine I call this method as follow:

selectStringQuery("username", "users", "id", 1);

Then the program returns the following prepared statement: 

SELECT 'username' FROM 'users' WHERE 'id' = 1;

The following error occurs when i run the program :

org.postgresql.util.PSQLException: ERROR: syntax error at or near "$2"
Position: 16

It should produce this:

SELECT username FROM users WHERE id = 1;

Could somebody please tell me what I'm missing here?

 * Executes a select query.
 * @param selectFieldName
 * @param tableName
 * @param conditionFieldName
 * @param conditionValue
 * @return 
 */public String selectStringQuery(String selectFieldName, String tableName, String conditionFieldName, int conditionValue){
    try {
        // *** Start execution of query ***
        query = "SELECT ? FROM ? WHERE ? = ?;";
        preparedStatement = prepareStatement(query);
        preparedStatement.setString(1, selectFieldName);
        preparedStatement.setString(2, tableName);
        preparedStatement.setString(3, conditionFieldName);
        preparedStatement.setInt(4, conditionValue);
        System.out.println(preparedStatement);
        resultSet = preparedStatement.executeQuery();
        // *** End execution of query ***

        // *** Start validity checks ***       
        if(!resultSet.next()){
            System.out.println("Query did not return any results.");
            return null;
        }
        // *** End validity checks ***

        // *** Start process query results ***
        String result = resultSet.getString(selectFieldName);
        return result;
        // *** End process query results ***
    } catch (Exception ex) {
        System.out.println(ex);
        return null;
    }
}
singhakash
  • 7,891
  • 6
  • 31
  • 65
Herm L
  • 37
  • 1
  • 8
  • Show your `prepareStatement()` method code. – Kayaman Apr 28 '15 at 10:48
  • i don't think you should parameterize your table name: http://stackoverflow.com/questions/11312737/can-i-parameterize-the-table-name-in-a-prepared-statement – Moh-Aw Apr 28 '15 at 10:49
  • Possibly duplicated: http://stackoverflow.com/questions/21540527/date-trunc-org-postgresql-util-psqlexception-error-syntax-error-at-or-near-1 – Tavo Apr 28 '15 at 10:51

3 Answers3

4

Try concatinating the table name and column name in query string.

query = "SELECT "+selectFieldName+" FROM "+tableName+" WHERE "+conditionFieldName+" = ?;";

I think you cant pass table name and column name as parameter.The parameter are treated as column value and '' is added to them

singhakash
  • 7,891
  • 6
  • 31
  • 65
0

You could try something like this

 query = "SELECT "+selectFieldName+" FROM "+tableName+" WHERE "+selectFieldName+" = ?;"
HJK
  • 1,382
  • 2
  • 9
  • 19
0

Parameters cannot be used to parameterize the table, or parameterize any database objects. They're mostly used for parameterizing WHERE/HAVING clauses.

query = "select "+fieldName+" from "+tableName+" where "+conditionFieldName+" = ?;"
preparedStatement.setInt(1, conditionValue);
singhakash
  • 7,891
  • 6
  • 31
  • 65
Praveen Kumar
  • 121
  • 1
  • 7