My situation is that I need to create DB partitions on the fly at certain times. I’m using a Statement like the following:

alter table table_name split partition default_partition values (' +
id + ') into (  partition " + partitionName + ", partition
default_partition) update indexes

This works fine and does exactly what I expect. However, the value of id comes from input that an unauthorized person could potentially access. So, the above statement is vulnerable to an SQL injection attack. I would like to use a PreparedStatement, but I cannot figure out how.

The problem is that the partition table in oracle puts the “id” value into the HIGH_VALUE column which is a LONG. I see no appropriate setter to do this (since String can’t work). I’ve tried using the various stream messages, with both a StringReader and ByteArrayInputStream as the value to no avail. I know LONGs aren’t supposed to be used anymore but that’s the way Oracle has it so I can’t really get around it.

When I try with any of those ways, this is what I get:

ORA-14308: partition bound element must be one of: string, datetime or interval literal, number, or NULL

The Oracle doc has good info on how to get a LONG (the oracle data type, which is like a LOB) but not how to set it. Could anyone help me with this? I’ve also looked into the Oracle implementation of the JDBC driver but it too doesn’t seem to have a setLONG type method. Is there a way I can do this?