Adding a table name in query string dynamically in hibernate

Question

I am trying to add table name dynamically in my query which returns List<object[]> as return type

I am currently appending the table name inside the query I don't think that's the optimal solution .Is there any other solution better than this?

public List<Object[]> getResult(String tableName){

try {
        Session session = currentSession();
        Query query = session.createSQLQuery("select * from "+tableName);
        return query.list();
    } catch (Exception e) {
        e.printStackTrace();
        throw e;
    } finally {
        closeSession();
    }

}

The table name will be given dynamically i just want to know if there is any other better method than appending the string — Balaji Sankar, Jul 31 '19 at 11:37
you cannot pass table name as parameter, the best option will be using `StringBuilder` — Ryuzaki L, Jul 31 '19 at 11:52

score 1 · Answer 1 · answered Jul 31 '19 at 11:58

How about doing it the other way around? Instead of giving a table name and getting corresponding type, give a corresponding type and let code figure out table name.

public <T> List<T[]> getResult(Class<T> type){
    try {
        Session session = currentSession();
        Query query = session.createSQLQuery("select * from " + type.getName() + "s");
        ArrayList<T> result = new ArrayList();
        for(Object o : query.list())
            result.add((T) o);
        return result;
    } catch (Exception e) {
        e.printStackTrace();
        throw e;
    } finally {
        closeSession();
    }
}

type is class used to represent records in the table. This example assumes that in database tables only have additional "s" in their name, so if in Java you have class SomeObject and corresponding table is some_objects you might want to do some more Java-style names to SQL-style names conversion then type.getName() + "s".

Anyway - this should return you a list of elements casted to correct type, when you call getResult(SomeObject.class);

It can: https://stackoverflow.com/questions/634342/get-the-table-name-from-the-model-in-hibernate — Miku, Jul 31 '19 at 12:14
I don't have pojo for that table in that case what should i do? — Balaji Sankar, Jul 31 '19 at 12:43
You don't need it. It might be a poor choice of name, but `SomeObject` is a class name, not variable name. — Miku, Jul 31 '19 at 12:48

zomega · Answer 2 · 2019-08-05T07:59:53.493

In general if you need a SQL query with variable table name you're doing something wrong.

So it would be interesting what kind of program you are writing.

I can only think of a SQL database viewer or a database dumper which would need variable table names.

Also your method seems vulnerable to a SQL injection (unless you checked the table name before calling the method).

I am personally only using prepared queries when passing any variable to a SQL query. Your query as prepared statement would look like "SELECT * FROM ?". You can try if it is supported by your database. But it should not be because such a kind of query is only needed in very rare cases.

Adding a table name in query string dynamically in hibernate

2 Answers2