java - oracle exception: invalid table name -

i using jdbc connecting database (oracle10) in servlets.
following query in want set 3 parameters dynamically.

1. table name
2. column name
3. value

query:

query = "select ? ? ? = ?"; mypstmt = con.preparestatement(query); mypstmt.setstring(1, tablename); mypstmt.setstring(2, columnname); mypstmt.setstring(3, columnname2); mypstmt.setstring(4, value); 

but above query giving me error:

java.sql.sqlexception: ora-00903: invalid table name 

i checked table name. correct, , if write query like:

query = "select "+columnname+" "+tablename+" "+columnname2+" = ?"; 

then executing fine.

so should if want set table name , column names mypstmt.setstring(1,tablename)

edit1 reason why want parameterize table name , column name allowing user select/enter table names , column names, want avoid sql injection.

we can't pass tablename directly preparedstatement table name cannot bind variable . preparedstatement.

an object represents precompiled sql statement.

a sql statement precompiled , stored in preparedstatement object. object can used efficiently execute statement multiple times.

you have construct sql string concatenation. using stored procedure , can pass table name dynamically using dynamic sql. @ this answer understand why restricted.