From: | Chris <cmattmiller(at)gmail(dot)com> |
---|---|
To: | pgsql-jdbc(at)postgresql(dot)org |
Subject: | Re: Can't use a variable for a column name? |
Date: | 2008-04-25 17:58:54 |
Message-ID: | eac7b0710804251058k2033e20fm80231850079a9d89@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-jdbc |
that worked. thanks
On Fri, Apr 25, 2008 at 1:39 AM, Albe Laurenz <laurenz(dot)albe(at)wien(dot)gv(dot)at>
wrote:
> Chris wrote:
> > A user enters a name into a textfield and clicks on a "Find"
> > button. Depending on which text field the user entered the
> > data, the appropriate column name in the table is used for
> > fieldName and the entered text is passName. However, the
> > fieldName doesn't return anything. But if I replace
> > fieldName with the column name ("WHERE first_name='"), the
> > program returns values. Can't we use variables for column
> > names or do I have to just put it all in an if/else statement?
> >
> > Here is my code:
> >
> > result = fe.executeQuery("SELECT first_name, last_name,
> emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
> > "FROM employee " +
> > "WHERE
> '"+fieldName+"'='"+passName+"'");
>
> I'm not 100% certain if I understood you right, but if I did,
> the statement should look like this:
>
> result = fe.executeQuery("SELECT first_name, last_name, emp_nbr,
> emp_type_code, emp_status_code, emp_work_center " +
> "FROM employee " +
> "WHERE "+fieldName+"='"+passName+"'");
>
> Also, be aware that this is wide open to SQL injection, unless you
> double single quotes in fieldName and passName first.
>
> Yours,
> Laurenz Albe
>
From | Date | Subject | |
---|---|---|---|
Next Message | Chetan Bob | 2008-04-28 07:05:38 | Database Connection pool |
Previous Message | Daniel Migowski | 2008-04-25 08:49:34 | Feature Request: PSQLException verbosity option |