From edbabf973d3c2246cc90e884b8397b4527282880 Mon Sep 17 00:00:00 2001
From: Martin Goik <goik@hdm-stuttgart.de>
Date: Mon, 19 Feb 2018 19:48:23 +0100
Subject: [PATCH] No PreparedStatement dynamic table and attribute parameter
---
Doc/Sda1/jdbc.xml | 55 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)
diff --git a/Doc/Sda1/jdbc.xml b/Doc/Sda1/jdbc.xml
index 65469d341..8bb0ef8c3 100644
--- a/Doc/Sda1/jdbc.xml
+++ b/Doc/Sda1/jdbc.xml
@@ -2499,6 +2499,61 @@ System.out.println("Successfully inserted " + updateCount + " dataset(s)");
<para>Problem solved!</para>
</figure>
+ <figure xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport">
+ <title>No dynamic table support</title>
+
+ <programlisting language="java">PreparedSatatement statement =
+ connection.prepareStatement("SELECT ? <co
+ linkends="sda1_jdbc_fig_preparedNoDynamicTableSupport-1.2"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-1.2-co"/> from ?" <co
+ linkends="sda1_jdbc_fig_preparedNoDynamicTableSupport-2.2"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-2.2-co"/>);
+statement.setString(1, "birthday") <co
+ linkends="sda1_jdbc_fig_preparedNoDynamicTableSupport-3.2"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-3.2-co"/>;
+statement.setString(2, "Persons") <co
+ linkends="sda1_jdbc_fig_preparedNoDynamicTableSupport-4.2"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-4.2-co"/>;
+ResultSet rs = statement.executeQuery() <co
+ linkends="sda1_jdbc_fig_preparedNoDynamicTableSupport-5"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-5-co"/>;</programlisting>
+
+ <para>In a nutshell: <emphasis role="red">Only attribute value
+ literals may be parameterized.</emphasis></para>
+ </figure>
+
+ <calloutlist>
+ <callout arearefs="sda1_jdbc_fig_preparedNoDynamicTableSupport-1.2-co"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-1.2">
+ <para>Providing an attributes name as parameter.</para>
+ </callout>
+
+ <callout arearefs="sda1_jdbc_fig_preparedNoDynamicTableSupport-2.2-co"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-2.2">
+ <para>Providing the table name to be queried as parameter.</para>
+ </callout>
+
+ <callout arearefs="sda1_jdbc_fig_preparedNoDynamicTableSupport-3.2-co"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-3.2">
+ <para>Setting the desired attributes name intending:</para>
+
+ <programlisting language="none">SELECT <emphasis role="red">birthday</emphasis> FROM ...</programlisting>
+ </callout>
+
+ <callout arearefs="sda1_jdbc_fig_preparedNoDynamicTableSupport-4.2-co"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-4.2">
+ <para>Setting the table name to be queried intending:</para>
+
+ <programlisting language="none">SELECT birthday FROM <emphasis
+ role="red">Persons</emphasis></programlisting>
+ </callout>
+
+ <callout arearefs="sda1_jdbc_fig_preparedNoDynamicTableSupport-5-co"
+ xml:id="sda1_jdbc_fig_preparedNoDynamicTableSupport-5">
+ <para>Fails: Only attribute value literals are allowed.</para>
+ </callout>
+ </calloutlist>
+
<qandaset defaultlabel="qanda" xml:id="exerciseSqlInjectPrepare">
<title>Prepared Statements to keep the barbarians at the
gate</title>
--
GitLab