Parameterized placeholders in prepared statements can only be used for
values, not for database objects such as table names or column names.
You can use string concate but please verify the column name before adding
or it might lead to sql injection.
PreparedStatement preparedStatement = null;
try { String columnName = User.getUsername();
if (!columnName.matches("[A-Za-z0-9_]+")) { // something like this
throw new IllegalArgumentException("Invalid column name: " +
columnName);
}
final String QUERY_SQL = "ALTER TABLE TableName ADD " + columnName + "
BOOLEAN";
preparedStatement = connection.prepareStatement(QUERY_SQL);
preparedStatement.executeUpdate();
preparedStatement.close();
} catch (SQLException e) {
On Friday, April 14, 2023 at 8:20:07 PM UTC+5:30 Evgenij Ryazanov wrote:
> Hello!
>
> JDBC parameters can only be used to specify values (literals). They cannot
> be used to specify identifiers, identifiers (including names of columns)
> aren't parameterizable.
>
> Also your decision to create an own column for each user looks like a bad
> idea, usually you shouldn't store data in that way in relational databases.
>
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/h2-database/d450a325-e4c5-4382-99fe-f48ba6ef5ffbn%40googlegroups.com.
