I have necessity to generate tables in database in runtime.
I can't use preparedStatement in this case.
I tried to find a library to validate query or tableName input for MySQL but found only ESAPI which can only escape my String. I have my custom validator for It but I know that I can't be sure in this case.
I read up many examples how to abuse SQL Injection. But usually the resources give examples for parameters, not for table name. And as I understand It is possible in case when parameter is in the end of query.
Question 1:Could you give an example how to abuse these queries?
"CREATE TABLE " + tableName + "(id int primary key)"
or
"DROP TABLE " + tableName
tableName - input from a client
It can be very usefull for testing my validator. When I try to do It I have always SQL Syntax error.
Question 2: Usually they use the tactic when it's needed to use some character as ,' or something like this and after they write their request. For this tactic it's needed to use spaces.
Is it possible to paste SQL Injection in input which can't have spaces? have only letters? Could underscore be as character which interrupt the query?
UPDATE:
If It wouuld be safe to add escape-char before underscore in "firstname_lastname" ?
"CREATE TABLE " + "test(id int primary key) ; delete * from user; create table test2 " + "(id int primary key)"tableNamefollows the rules (preferably for unquoted names) it should be safe.tableNamestring that includes a back-tick.