When setting up SELECT, INSERT and UPDATE named queries, I am finding that the test tab fails if the table name is parameterized. The error is
com.microsoft.sqlserver.jdbc.SQLServerException: Must declare the table variable "@P0".
A simple example looks like this:
SELECT [BatchID], [StartTime], [EndTime]
FROM :tbl
WHERE [StartTime] >= :sDate
AND [EndTime] < :eDate
It fails whether the tbl parameter has quotes or doesn't. If I replace :tbl in the SQL with the table name it works fine.
You will need to make your table name as a QueryString parameter instead of a Value.
https://docs.inductiveautomation.com/display/DOC81/Named+Query+Parameters
But be careful how you deliver data to a queryString parameter, as such parameters re-open the SQL Injection security hole if given user-supplied data. That is, don't permit user-supplied data. If it will come from a user selection, use an index key in the UI, and perform a lookup to get the correct string at the point of the query. (The lookup would contain the valid possibilities.)
The "more susceptible to SQL Injection" verbiage is just fluff. Either the technique is susceptible or it is not. Query strings are susceptible, themselves, and must be guarded. Value parameters are not susceptible to SQL Injection. That's the point.
Shoot, I didn't even check the manual as I try to steer clear of QueryStrings due to their vulnerabilities.
Thanks!
Hey Pturmel, I was facing similar issue with nambed query. This named query is bindind to report. Kindly help me on this.
Named query is working without putting the '' on querystring. If I put like '{tablename 2}'. It is throwing error.
In report, neither working on puttingg '' nor with quotes for querystring in named query.
Show your query.
What brand of database is this? Certain brands don't accept SQL standard identifier quotes unless set to standards-compliant mode. (ANSI mode in SQL Server.)
Hey pturmel. Now My issue is resolved,Thank you for your timely reply. 
