0

My code here:

enter image description here

but it doesn't work. How can I do that? I have a list table name in jcombobox get from database, and when I choose one of them, this frame will display all column and information of table.

Nimantha
  • 5,793
  • 5
  • 23
  • 56
Phongg
  • 1
  • 2

1 Answers1

0

Try putting empty space after the FROM statement. However, what you are doing is just a string manipulation and might create an injection risk. You should at least use paratmetrized strings with placeholders.

You can check the link below:

https://www.baeldung.com/sql-injection

asgarov
  • 41
  • 6
  • I try putting empty space after the FROM statement but it didn't work @@. Can you give me an example for paratmetrized strings with placeholders. – Phongg Jan 08 '22 at 04:06
  • I try placeholder "?" but it didn't work for table name – Phongg Jan 08 '22 at 04:13
  • What kind of error do you receive? – asgarov Jan 08 '22 at 04:15
  • Must declare the table variable "@P0". – Phongg Jan 08 '22 at 04:38
  • @Phongg You can only use parameters to substitute values, not object names like column or table names. – Mark Rotteveel Jan 08 '22 at 08:49
  • @MarkRotteveel so how can I solve my problem – Phongg Jan 08 '22 at 12:19
  • @Phongg You solve your original problem by adding a space after `FROM`, that is `"SELECT * FROM " + name`. If `name` comes from user input, you may want to check against an allowed list of table names, or properly escape things using [`Statement.enquoteIdentifier`](https://docs.oracle.com/en/java/javase/17/docs/api/java.sql/java/sql/Statement.html#enquoteIdentifier(java.lang.String,boolean)), for the rest, see the duplicate (and its duplicate). – Mark Rotteveel Jan 08 '22 at 12:48
  • @MarkRotteveel I try add a space after from and name is variable I get from JComboBox but it's fail: Incorrect syntax near 'FROM'. – Phongg Jan 08 '22 at 13:02
  • @Phongg Then the query your concatenation generated is not valid. Print out the query and see what it looks like. – Mark Rotteveel Jan 08 '22 at 13:17
  • @MarkRotteveel The query is: Select * from, not have table name. – Phongg Jan 08 '22 at 13:22
  • @Phongg That suggests that `name` is an empty string. With that said, I'm bowing out of this thread. Debugging by comment is not what Stack Overflow is for. – Mark Rotteveel Jan 08 '22 at 13:28