I'm using
- jdbcTemplate to make JDBC connections to a mySQL DB
- prepared statements to protect myself as much as possible from SQL injection attacks
- in need to accept requests from the user to sort the data on any of a dozen different columns
the following statement
jdbcTemplate.query("SELECT * FROM TABLE1 ORDER BY ? ?", colName, sortOrder);
Of course this doesn't work, because the variable bindings aren't supposed to specify column names just parameter values for expressions in the query.
So...how are people solving this issue? Just doing the sort in Java code seems like an easy solution, but since I'm getting a variable string for the column to sort on, and a variable telling me the sort order....that's an ugly number of comparator-conditions to cover. This seems like it should be a common problem with a common pattern to solve it...