Thread: Can't use a variable for a column name?
A user enters a name into a textfield and clicks on a "Find" button. Depending on which text field the user entered the data, the appropriate column name in the table is used for fieldName and the entered text is passName. However, the fieldName doesn't return anything. But if I replace fieldName with the column name ("WHERE first_name='"), the program returns values. Can't we use variables for column names or do I have to just put it all in an if/else statement?
Here is my code:
result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
"FROM employee " +
"WHERE '"+fieldName+"'='"+passName+"'");
Here is my code:
result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
"FROM employee " +
"WHERE '"+fieldName+"'='"+passName+"'");
Chris wrote:
> A user enters a name into a textfield and clicks on a "Find"
> button. Depending on which text field the user entered the
> data, the appropriate column name in the table is used for
> fieldName and the entered text is passName. However, the
> fieldName doesn't return anything. But if I replace
> fieldName with the column name ("WHERE first_name='"), the
> program returns values. Can't we use variables for column
> names or do I have to just put it all in an if/else statement?
>
> Here is my code:
>
> result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code,
emp_work_center" +
> "FROM employee " +
> "WHERE '"+fieldName+"'='"+passName+"'");
I'm not 100% certain if I understood you right, but if I did,
the statement should look like this:
result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
"FROM employee " +
"WHERE "+fieldName+"='"+passName+"'");
Also, be aware that this is wide open to SQL injection, unless you
double single quotes in fieldName and passName first.
Yours,
Laurenz Albe
that worked. thanks
On Fri, Apr 25, 2008 at 1:39 AM, Albe Laurenz <laurenz.albe@wien.gv.at> wrote:
I'm not 100% certain if I understood you right, but if I did,Chris wrote:
> A user enters a name into a textfield and clicks on a "Find"
> button. Depending on which text field the user entered the
> data, the appropriate column name in the table is used for
> fieldName and the entered text is passName. However, the
> fieldName doesn't return anything. But if I replace
> fieldName with the column name ("WHERE first_name='"), the
> program returns values. Can't we use variables for column
> names or do I have to just put it all in an if/else statement?
>
> Here is my code:
>
> result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
> "FROM employee " +
> "WHERE '"+fieldName+"'='"+passName+"'");
the statement should look like this:Also, be aware that this is wide open to SQL injection, unless you
result = fe.executeQuery("SELECT first_name, last_name, emp_nbr, emp_type_code, emp_status_code, emp_work_center " +
"FROM employee " +
"WHERE "+fieldName+"='"+passName+"'");
double single quotes in fieldName and passName first.
Yours,
Laurenz Albe