using sql Like in preparedstatement

using sql Like in preparedstatement

Postby haretu » Fri Dec 07, 2012 2:43 pm

PreparedStatement placeholders (those ? things) are for column values only, not for table names, column names, SQL functions/clauses, etcetera. Better use String#format() instead. Second, you should not quote the placeholders like '?', it would only malform the final query. The PreparedStatement setters already do the quoting (and escaping) job for you.

Here's the fixed SQL:
Code: Select all


private static final String SQL = "select instance_id, %s from eam_measurement"
    + " where resource_id in (select RESOURCE_ID from eam_res_grp_res_map where"
    + " resource_group_id = ?) and DSN like ? order by 2");Here is how to use it:

String sql = String.format(SQL, "SUBSTR(DSN,27,16)"); // This replaces the %s.
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setInt(1, defaultWasGroup);
preparedStatement.setString(2, "%Module=jvmRuntimeModule:freeMemory%");
--------------------------------------------------------------------------------
haretu
 
Posts: 132
Joined: Sat Jan 08, 2011 9:56 pm

Return to JAVA

Who is online

Users browsing this forum: No registered users and 1 guest

cron