Re: Can't use a variable for a column name?
| От | Albe Laurenz |
|---|---|
| Тема | Re: Can't use a variable for a column name? |
| Дата | |
| Msg-id | D960CB61B694CF459DCFB4B0128514C2020A7768@exadv11.host.magwien.gv.at обсуждение исходный текст |
| Ответ на | Can't use a variable for a column name? (Chris <cmattmiller@gmail.com>) |
| Ответы |
Re: Can't use a variable for a column name?
|
| Список | pgsql-jdbc |
Chris wrote:
> A user enters a name into a textfield and clicks on a "Find"
> button. Depending on which text field the user entered the
> data, the appropriate column name in the table is used for
> fieldName and the entered text is passName. However, the
> fieldName doesn't return anything. But if I replace
> fieldName with the column name ("WHERE first_name='"), the
> program returns values. Can't we use variables for column
> names or do I have to just put it all in an if/else statement?
>
> Here is my code:
>
> result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code,
emp_work_center" +
> "FROM employee " +
> "WHERE '"+fieldName+"'='"+passName+"'");
I'm not 100% certain if I understood you right, but if I did,
the statement should look like this:
result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
"FROM employee " +
"WHERE "+fieldName+"='"+passName+"'");
Also, be aware that this is wide open to SQL injection, unless you
double single quotes in fieldName and passName first.
Yours,
Laurenz Albe
В списке pgsql-jdbc по дате отправления: