SQLite 参数 - 不允许表名作为参数

SQLite Parameters - Not allowing tablename as parameter(SQLite 参数 - 不允许表名作为参数)
本文介绍了SQLite 参数 - 不允许表名作为参数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在通过 Flex 在 AIR 中开发应用程序,但我没有发现 SQLite 哪里出了问题(我已经习惯了 MySQL).参数有效,但仅在某些情况下有效.这部分是针对sql注入的内置卫生系统吗?感谢您的帮助!

I'm developing an application in AIR via Flex, but I'm not seeing where I'm going wrong with SQLite (I'm used to MySQL). Parameters work, but only in certain instances. Is this part of the built-in sanitation system against sql injection? Thanks for any help!

作品:

sqlite

"INSERT :Fields FROM Category",其中参数为:Fields = "*"

"INSERT :Fields FROM Category", where the parameter is :Fields = "*"

as3

var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM Category";
statement.parameters[":Fields"] = "*";
statement.execute;

不起作用(:Table"处的 SQL 语法错误):

sqlite

"INSERT :Fields FROM :Table",其中参数为:Fields = "*" 和:Table = "Category"

"INSERT :Fields FROM :Table", where the parameters are :Fields = "*" and :Table = "Category"

as3

var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM :Table";
statement.parameters[":Fields"] = "*";
statement.parameters[":Table"] = "Category";
statement.execute;

推荐答案

通常不能将 SQL 参数/占位符用于数据库标识符(表、列、视图、架构等)或数据库函数(例如,CURRENT_DATE),但仅用于绑定文字 values.

Generally one cannot use SQL parameters/placeholders for database identifiers (tables, columns, views, schemas, etc.) or database functions (e.g., CURRENT_DATE), but instead only for binding literal values.

通过服务器端对参数化(又名准备好的)语句的支持,数据库引擎会解析您的查询一次,记住您将绑定的任何参数的特性——它们的类型、最大长度、精度等已解析查询的后续执行.但是,如果关键位(如数据库对象)未知,则无法将查询正确解析为其句法元素.

With server-side support for parameterized (a.k.a. prepared) statements, the DB engine parses your query once, remembering out the peculiars of any parameters -- their types, max lengths, precisions, etc. -- that you will bind in subsequent executions of the already-parsed query. But the query cannot be properly parsed into its syntactic elements if critical bits, like database objects, are unknown.

因此,通常必须自己替换表名,在存储过程或客户端代码中,动态连接/插值/任何要正确执行的 SQL 语句.在任何情况下,请记住使用您的 SQL API 函数来引用数据库标识符,因为 API 不会为您做这件事.

So, one generally has to substitute table names oneself, in a stored procedure or in client code which dynamically concats/interpolates/whatevers the SQL statement to be properly executed. In any case, please remember to use your SQL API's function for quoting database identifiers, since the API won't do it for you.

这篇关于SQLite 参数 - 不允许表名作为参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

FastAPI + Tortoise ORM + FastAPI Users (Python) - Relationship - Many To Many(FastAPI+Tortoise ORM+FastAPI用户(Python)-关系-多对多)
Window functions not working in pd.read_sql; Its shows error(窗口函数在pd.read_sql中不起作用;它显示错误)
(Closed) Leaflet.js: How I can Do Editing Geometry On Specific Object I Select Only?((已关闭)Leaflet.js:如何仅在我选择的特定对象上编辑几何图形?)
in sqlite update trigger with multiple if/Case Conditions(在具有多个IF/CASE条件的SQLite UPDATE触发器中)
Android: Why is Room so slow?(Android:为什么Room这么慢?)
Remote Procedure call failed with sql server 2008 R2(使用 sql server 2008 R2 的远程过程调用失败)