问题
I wanted to know of some way to create table on the fly based on user input(SQL Prepared Statement)
CREATE TABLE ? (
First_Name char(50),
Last_Name char(50)
)
What should i put in place of question mark
回答1:
PreparedStatement placeholders are not intended for table names nor column names, they are only intended for actual column values.
So you would have to create the (prepared) statement string dynamically, which means your application will be vulnerable to SQL injection. Depending on how the application is supposed to be used - and by who - this could be a BIG problem.
Related question
- How do I sanitize SQL without using prepared statements
回答2:
As the other answers point out, you cannot use prepared statement in this case, as replacement of table names is not supported in most DBMS.
However, I'd like to point out that choosing a table name based on user input seems like a bad idea. How do you prevent duplicates, or invalid names?
Why does the table name matter?
来源:https://stackoverflow.com/questions/3655615/sql-prepared-statement-to-create-table