Dynamic SQL allows you to do things that simply aren't possible with normal parameterized SQL, but it comes
with risk.
Danger
While Dynamic SQL is very powerful, it is also very dangerous, because it opens you up to
SQL Injection Attacks. You should try to avoid using
dynamic SQL as far possible. If you are forced to use is, make sure to guard against SQL injection by either
coding against it, or using a library that helps with that.
To write a dynamic SQL query, write a proc like you would normally do, and at the point where you want to inject
the dynamic portion, use ¶meter_name(<length>). See below for an example.
packagecom.example.db;importbbd.jportal2.util.*;importjava.sql.*;importjava.util.*;importjava.math.*;/** */publicclassToDo_ItemSelectWithDynamicQueryextendsToDo_ItemSelectWithDynamicQueryStruct{privatestaticfinallongserialVersionUID=1L;Connectorconnector;Connectionconnection;publicToDo_ItemSelectWithDynamicQuery(){super();}publicvoidsetConnector(Connectorconn){this.connector=conn;connection=connector.connection;}publicToDo_ItemSelectWithDynamicQuery(Connectorconnector){super();this.connector=connector;connection=connector.connection;}/** * Returns any number of records. * @return result set of records found * @exception SQLException is passed through */publicQueryselectWithDynamicQuery()throwsSQLException{Stringstatement="/* PROC BooksAndAuthors.ToDo_Item.SelectWithDynamicQuery */"+"SELECT "+"ItemName, "+"ItemDescription, "+"LastUpdated "+"FROM "+"ToDoList_App.ToDo_Item i "+"WHERE "+"i.ID = ? "+"AND "+"ItemName IN ( "+{ItemNamesList}// (1)+" ";PreparedStatementprep=connector.prepareStatement(statement);prep.setInt(1,id);ResultSetresult=prep.executeQuery();Queryquery=newQuery(prep,result);returnquery;}/** * Returns the next record in a result set. * @param query The result set for the query. * @return true while records are found. * @exception SQLException is passed through */publicbooleanselectWithDynamicQuery(Queryquery)throwsSQLException{if(!query.result.next()){query.close();returnfalse;}ResultSetresult=query.result;itemName=result.getString(1);itemDescription=result.getString(2);lastUpdated=result.getTimestamp(3);returntrue;}/** * Returns all the records in a result set as array of ToDo_ItemSelectWithDynamicQuery. * @return array of ToDo_ItemSelectWithDynamicQuery. * @exception SQLException is passed through */publicToDo_ItemSelectWithDynamicQuery[]selectWithDynamicQueryLoad()throwsSQLException{Vector<ToDo_ItemSelectWithDynamicQuery>recs=newVector<>();Queryquery=selectWithDynamicQuery();while(selectWithDynamicQuery(query)==true){ToDo_ItemSelectWithDynamicQueryrec=newToDo_ItemSelectWithDynamicQuery();rec.itemName=itemName;rec.itemDescription=itemDescription;rec.lastUpdated=lastUpdated;recs.addElement(rec);}ToDo_ItemSelectWithDynamicQuery[]result=newToDo_ItemSelectWithDynamicQuery[recs.size()];for(inti=0;i<recs.size();i++)result[i]=recs.elementAt(i);returnresult;}/** * Returns any number of records. * @return result set of records found * @param id input. * @param SelectWithDynamicQuery dynamic input. * @exception SQLException is passed through */publicQueryselectWithDynamicQuery(Integerid,StringItemNamesList)throwsSQLException{this.id=id;this.ItemNamesList=ItemNamesList;returnselectWithDynamicQuery();}}