Safe way to use table name as parameter in JDBC query

java jdbc dynamic tablename

Martin · Oct 6, 2016 · Viewed 7.2k times · Source

What is the safe way how to put table name as parameter into SQL query? You cannot put table name as parameter using PreparedStatement. Concatenating string to execute query with dynamic table name using Statement is possible, however it is not recommended because of risk of SQL injection. What is the best approach to do this?

Answer

The best way would be:

To put your table name between the characters used to delimit the name of the table which change from one database to another
And escape the provided table name accordingly such that SQL injection won't be possible anymore.

So for example in case of MySQL, the table name's delimiter is the backquote character and we escape it by simply doubling it.

If your query is SELECT foo from bar, you could rewrite your query as next:

 String query = String.format("SELECT foo from `%s`", tableName.replace("`", "``"));

This way you inject the name of your table without taking the risk of seeing some malicious code being injected.

Safe way to use table name as parameter in JDBC query

Answer

Related questions