java - Safe way to use table name as parameter in JDBC query

Question

What is the safe way how to put table name as parameter into SQL query? You cannot put table name as parameter using PreparedStatement. Concatenating string to execute query with dynamic table name using Statement is possible, however it is not recommended because of risk of SQL injection. What is the best approach to do this?

Answer 1

The best way would be:

1. To put your table name between the characters used to delimit the name of the table which change from one database to another
2. And escape the provided table name accordingly such that SQL injection won't be possible anymore.

So for example in case of MySQL, the table name's delimiter is the backquote character and we escape it by simply doubling it.

If your query is SELECT foo from bar, you could rewrite your query as next:

 String query = String.format("SELECT foo from `%s`", tableName.replace("`", "``"));

This way you inject the name of your table without taking the risk of seeing some malicious code being injected.