Using an Oracle Database through a Java application, I need to execute a SET CURRENT SCHEMA
statement using a PreparedStatement
to overcome potential SQL injection.
So, I cannot do
public void executeSetCurrentSchema(Connection con, String schema){
try{
Statement stmt = con.createStatement();
stmt.execute("SET CURRENT SCHEMA " + schema);
} catch(Exception){}
}
but instead I'd like to use a prepared statement, that won't accept a "SET" command, instead I can do a "SELECT setCurrentSchema(" + schema + ")"
if such a function would exists.
Is there any function I can issue using a SELECT to set the schema?
Best Answer
Always use the
DBMS_ASSERT
package when dealing with variable Database Objects that are used within Dynamic SQL statements.Example
Your Java code would be: