0

I have a some query, but I am not sure if I should pass '?' in the query. Or should I treat it like a variable and just set the "b."+ name in the statement itself.

Select x,y,z
FROM someTable
WHERE ....
UNION
SELECT a.x, a.y, a.z
FROM someTable a, someTable b
WHERE a.id = ? 
AND b.seq = a.seq
AND UPPER(b.?) // is this correct???
LIKE ?

if I change above that line to AND UPPER(?) then set statement...

statement.setString(x, "b."+customString);

or should I do this instead? AND UPPER(b.?) 

statement.setString(x, customString); //or this?

Is the outcome the same? are there any unexpected behavior for either way?

logger
  • 1,983
  • 5
  • 31
  • 57
  • If it's set internally, you can append it directly. If it's coming from the client... well, you have bigger problems on your hands. – shmosel May 08 '19 at 20:09
  • table name `b` doesnt change. but i am not sure what would happen if I just append to it. or any unexpected behavior – logger May 08 '19 at 20:11
  • technically correct or not it looks like a huuuuuuge backdoor gap – m.antkowicz May 08 '19 at 20:12
  • 1
    is this what you're trying to do? https://stackoverflow.com/q/3135973/217324 you can only set values as parameters, you can't specify tables or columns. this is not string interpolation. – Nathan Hughes May 08 '19 at 20:23
  • the column name is selected based on some conditions (from the request, i am not 100% sure where the request is coming from). am i not able to set the column name from prep statement? – logger May 08 '19 at 20:32
  • No, you can't use `setString` to set the column name. You'll have to use string concatenation to get it in. I would recommend using an enum for the available column names, so that you can avoid the situation where somebody like Bobby Tables provides an invalid column name. – Dawood ibn Kareem May 08 '19 at 20:44
  • but then how do you fix sql injection in this case? – logger May 09 '19 at 12:28
  • The jdbc driver takes care of escaping parameter values for you. when you create a query by concatenation you have to make sure you keep user-provided data out of it. closing as a duplicate. – Nathan Hughes May 09 '19 at 19:19

0 Answers0