Concatenate data correctly when doing a select in java to db

Navigation
0

I was making some improvements to my small system and I get the doubt because I've always been concatenated to data in the where and not after the select, since now the question is to concatenate the selected table (db) and the pk (dni) entered.

This is my code: 3 

if (txtDniColaborador.getText().isEmpty()) {
        JOptionPane.showMessageDialog(null, "DEBE INGRESAR UN DNI");
    } else {

        tabla = txtTabla.getText();
        dni = txtDniColaborador.getText();
   try {
        Class.forName("com.mysql.jdbc.Driver");

        Connection conexion = DriverManager.getConnection("jdbc:mysql://localhost:3306/dbDaca?zeroDateTimeBehavior=convertToNull", "root", "1234");
        Statement st = conexion.createStatement();
        ResultSet rst = st.executeQuery("SELECT CONCAT("+tabla+") LIKE '%" + tabla + "%' FROM  WHERE CONCAT(DniColaborador) LIKE '%" + dni + "%'");
        ResultSetMetaData rsmt = rst.getMetaData();
        int nrocolumnas = rsmt.getColumnCount();
        DefaultTableModel modelo = new DefaultTableModel();
        this.jTable1.setModel(modelo);
        for (int x = 1; x <= nrocolumnas; x++) {
            modelo.addColumn(rsmt.getColumnLabel(x));

        }

        while (rst.next()) {
            Object[] fila = new Object[nrocolumnas];

            for (int y = 0; y < nrocolumnas; y++) {
                fila[y] = rst.getObject(y + 1);

            }

            modelo.addRow(fila);

        }

    } catch (ClassNotFoundException ce) {
        ce.printStackTrace();
    } catch (SQLException se) {

        se.printStackTrace();
    }
    }

It certainly throws me wrong, but that my doubt does not succeed in concatenating my data well in the preparedStatement. Here is when I'm going to try it, in the cbTabla are my 11 tables that I added for the user to select the table that you want to search with the pk entered, the tables have the same name in my bd and are the same ones where you entered as an item in the cbTabla so that there is no problem when concatenating

Greetings.

    
asked by Kevin Marshall 18.03.2018 в 06:32
source

1 answer

-1

If you want to send a query that searches for the DNI in the table selected in the combobox, you need to write a normal query that uses only the variable tabla .

I would also shield the code against so-called SQL Injection attacks. As a general rule, whenever you collect data from the outside , such as the value entered in the textbox, use prepared queries .

SQL Injection is a serious danger. Suppose that someone instead of the DNI only writes something like this:

  

DANGER !: DO NOT TRY THIS

     

1 ; DELETE FROM DatosssssFamiliarColaboradorrrr

You would be sending two queries, in the second the table DatosFamiliarColaborador would be completely deleted. This is an example of the most kind , of what can happen when you write vulnerable code.

Based on the comments I show you a response using prepared queries, with them the SQL injection is neutralized. 

String selectSQL = "SELECT * FROM "+ tabla +" WHERE DniColaborador = ?";
PreparedStatement ps = conexion.prepareStatement(selectSQL);
ps.setString(1, dni);
ResultSet rst = ps.executeQuery();
    
answered by 19.03.2018 в 04:17
how to insert record repeatedly Problems initializing the Bluetooth plugin in PhoneGap