SQLite Parameters - Not allowing tablename as parameter(SQLite 参数 - 不允许表名作为参数)
问题描述
我正在通过 Flex 在 AIR 中开发应用程序,但我没有发现 SQLite 哪里出了问题(我已经习惯了 MySQL).参数有效,但仅在某些情况下有效.这部分是针对sql注入的内置卫生系统吗?感谢您的帮助!
I'm developing an application in AIR via Flex, but I'm not seeing where I'm going wrong with SQLite (I'm used to MySQL). Parameters work, but only in certain instances. Is this part of the built-in sanitation system against sql injection? Thanks for any help!
作品:
sqlite
"INSERT :Fields FROM Category",其中参数为:Fields = "*"
"INSERT :Fields FROM Category", where the parameter is :Fields = "*"
as3
var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM Category";
statement.parameters[":Fields"] = "*";
statement.execute;
不起作用(:Table"处的 SQL 语法错误):
sqlite
"INSERT :Fields FROM :Table",其中参数为:Fields = "*" 和:Table = "Category"
"INSERT :Fields FROM :Table", where the parameters are :Fields = "*" and :Table = "Category"
as3
var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM :Table";
statement.parameters[":Fields"] = "*";
statement.parameters[":Table"] = "Category";
statement.execute;
推荐答案
通常不能将 SQL 参数/占位符用于数据库标识符(表、列、视图、架构等)或数据库函数(例如,CURRENT_DATE
),但仅用于绑定文字 values.
Generally one cannot use SQL parameters/placeholders for database identifiers (tables, columns, views, schemas, etc.) or database functions (e.g., CURRENT_DATE
), but instead only for binding literal values.
通过服务器端对参数化(又名准备好的)语句的支持,数据库引擎会解析您的查询一次,记住您将绑定的任何参数的特性——它们的类型、最大长度、精度等已解析查询的后续执行.但是,如果关键位(如数据库对象)未知,则无法将查询正确解析为其句法元素.
With server-side support for parameterized (a.k.a. prepared) statements, the DB engine parses your query once, remembering out the peculiars of any parameters -- their types, max lengths, precisions, etc. -- that you will bind in subsequent executions of the already-parsed query. But the query cannot be properly parsed into its syntactic elements if critical bits, like database objects, are unknown.
因此,通常必须自己替换表名,在存储过程或客户端代码中,动态连接/插值/任何要正确执行的 SQL 语句.在任何情况下,请记住使用您的 SQL API 函数来引用数据库标识符,因为 API 不会为您做这件事.
So, one generally has to substitute table names oneself, in a stored procedure or in client code which dynamically concats/interpolates/whatevers the SQL statement to be properly executed. In any case, please remember to use your SQL API's function for quoting database identifiers, since the API won't do it for you.
这篇关于SQLite 参数 - 不允许表名作为参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:SQLite 参数 - 不允许表名作为参数
- 使用 Oracle PL/SQL developer 生成测试数据 2021-01-01
- 在SQL中,如何为每个组选择前2行 2021-01-01
- SQL 临时表问题 2022-01-01
- 以一个值为轴心,但将一行上的数据按另一行分组? 2022-01-01
- 更改自动增量起始编号? 2021-01-01
- 导入具有可变标题的 Excel 文件 2021-01-01
- 如何使用 pip 安装 Python MySQLdb 模块? 2021-01-01
- 远程 mySQL 连接抛出“无法使用旧的不安全身份验证连接到 MySQL 4.1+"来自 XAMPP 的错误 2022-01-01
- 如何将 Byte[] 插入 SQL Server VARBINARY 列 2021-01-01
- 如何将 SonarQube 6.7 从 MySQL 迁移到 postgresql 2022-01-01