Simple RunPrepQuery Issue

Jaden_Steinbacher · August 21, 2023, 8:13pm

Hi,
I am having an issue with a very simple query I am trying to run. I am trying to get all the data from the table by its name.
The code is below.

query = "SELECT * FROM ?"
s = "DrillPlates"
t = system.db.runPrepQuery(query, [s], "FASTDev")

So using this logic should be the same as running a script like

query = "SELECT * FROM DrillPlates"
test = system.db.runQuery(query,"FASTDev")

The bottom logic works fine as I expect the top logic causes an error
java.lang.Exception: java.lang.Exception: Error executing system.db.runPrepQuery(SELECT * FROM ?, , [DrillPlates], )

I am not sure why there is an error when these are the same query scripts just one is having the string argument prepped and the other is not. Any help is appreciated thank you.
All the testing for these scripts were in the script console on my client project.

lrose · August 21, 2023, 8:20pm

JDBC will not allow you to provide SCHEMA information via parameters (e,g. column names, table names, commands, etc.)

You can do this via NamedQueries and utilizing a QueryString parameter, but be sure to not allow user entered data directly into that parameter.

Jaden_Steinbacher · August 21, 2023, 8:25pm

Ok thank you for the information. I assume this is a preventive measure so tables are not destructed when running queries?

lrose · August 21, 2023, 8:26pm

Yes, it is part of the hardening against SQL Injection.