1

I'm trying to create a table similar to a ready table I created before (a template, if you will) where the only variable should be the table name.

This is what I've tried so far: I exported the template table to mysql code and copied the code to a preparedStatement object as such:

createNewLineTableStatement = constantLink.prepareStatement("CREATE TABLE IF NOT EXISTS ? (" +
                    "  `index` int(5) NOT NULL," +
                    "  `station` int(5) NOT NULL," +
                    "  PRIMARY KEY (`index`)," +
                    "  UNIQUE KEY `station` (`station`)" +
                    ") ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;\");");

Than I try to execute the code by calling the following function:

private static boolean createNewLineTable(String tableName) throws SQLException{
    createNewLineTableStatement.setString(1, tableName);
    if (createNewLineTableStatement.executeUpdate() == Statement.EXECUTE_FAILED)
        return false;
    return true;
}

But I'm getting a syntax error exception:

com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''line_37_var_1' (  `index` int(5) NOT NULL,  `station` int(5) NOT NULL,  PRIMARY' at line 1

How can I fix the code? OR is there a cleaner, better way to do the same thing? Maybe creating a script with a user variable? I thought of that but I've never used .sql script before.

Improve this question
2
  • 1
    are you sure you can use the column with name "index". Thought it is keyword. Commented Jan 18, 2013 at 13:01
  • Yes, I'm sure. I originally created the template table using phpmyadmin and it was created without a hitch. Commented Jan 18, 2013 at 13:04

3 Answers 3

Reset to default
2

Problem 1: You can't use a prepared statement parameter as the table name.

Problem 2: You have an unmatched paren and extra characters ");at the end of your statement.

Your query string should look something like:

String query = "CREATE TABLE IF NOT EXISTS `" + tableName + "` (" +
    "  `index` int(5) NOT NULL," +
    "  `station` int(5) NOT NULL," +
    "  PRIMARY KEY (`index`)," +
    "  UNIQUE KEY `station` (`station`)" +
    ") ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci";
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

by design, TableName and ColumnNames cannot be parameterized.

If you are scared about SQL Injection, create a custom function to check for malicious tableName. It is safe if the value comes inside of your application.

Then concatenate it in the string, add backtick for first level of defense :D

String tableName = "Your tableName";
String query = "CREATE TABLE IF NOT EXISTS `" + tableName + "` (" +
                    "  `index` int(5) NOT NULL," +
                    "  `station` int(5) NOT NULL," +
                    "  PRIMARY KEY (`index`)," +
                    "  UNIQUE KEY `station` (`station`)" +
                    ") ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci";
Improve this answer

Comments

0

You are missing Table name and i think that "?" shouldn't be there.

I will be something like 

"CREATE TABLE IF NOT EXISTS YOURTABLE" + the following code
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.