sql server - How do I switch database using a PreparedStatement (worried about sql injection)? -

i have simple jdbc application talks sql server.

can use "use databasename" in preparedstatement.

void usedatabase(statement statement, string databasename) throws sqlexception {      //this works worried sql injection      //databasename provided user.     //statement.executeupdate("use \"" + databasename + "\"");       //so tried      //getting com.microsoft.sqlserver.jdbc.sqlserverexception: incorrect syntax near '@p0'.     preparedstatement preparedstatement = statement.getconnection().preparestatement("use ?");     preparedstatement.setstring(1, databasename);     preparedstatement.executeupdate(); }

use keyword docs: https://technet.microsoft.com/en-us/library/ms188366.aspx

Abdulaziz

Search This Blog

sql server - How do I switch database using a PreparedStatement (worried about sql injection)? -

Comments

Post a Comment