1.16.5 MySQL PreparedStatement

Discussion in 'Spigot Plugin Development' started by Mxrlin1, Jun 13, 2021.

  1. Hey, I used often the normal Statement and because its not good against SQLInjections, I wanted to use PreparedStatements. So I did that method:

    Code (Text):
    public static boolean updatePrepareStatement(Connection connection, String string, List<String> toReplace){
                Check.checkNotNull(connection);
                Check.checkNotNull(string);
                Check.checkIfEmpty(toReplace);

                try {
                    PreparedStatement preparedStatement = connection.prepareStatement(string);
                    for(int i = 0; i < toReplace.size(); i++){
                        preparedStatement.setString(i + 1, toReplace.get(i));
                    }
                    preparedStatement.executeUpdate();
                    return true;
                } catch (SQLException e) {
                    e.printStackTrace();
                }

                return false;
            }
    And if I for example want to create a table with it
    Code (Text):
    MySQL.updatePrepareStatement(connection, "CREATE TABLE IF NOT EXISTS ? (UUID VARCHAR(100), coins VARCHAR(100));", Arrays.asList("economy"));
    Than this error appears:
    Code (Text):
    com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''economy' (UUID VARCHAR(100), coins VARCHAR(100))' at line 1
    And I absolutely don't know why. Please someone help?

    EDIT: I tried replacing the 'setString' to 'setObject' because I thought setString would make the 'economy' but at the Object its the same.
     
    #1 Mxrlin1, Jun 13, 2021
    Last edited: Jun 13, 2021
  2. SteelPhoenix

    Moderator

    You can't dynamically set the table name. Also, why are you using strings to save a UUID and coins, which (presumably) are numbers?
     
  3. The UUID i just like to save in a String because I've made it since starting like that. Coins are a double and I once used the DOUBLE from SQL and there were so many errors, so im just using VARCHAR because its easy to understand