SQLite的参数

本文介绍了SQLite的参数 - 不使表名作为参数的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我正在开发通过Flex的AIR中的应用程序，但我没有看到我要去哪里错了SQLite的（我已经习惯了的MySQL）。参数的工作，但仅在某些情况下。这部分对SQL注入的内置卫生系统？感谢您的帮助！

作品：

sqlite的的

INSERT：字段从类别，其中的参数是：场=*

AS3 的

var语句：的SQLStatement =新的SQLStatement（）; statement.connection =连接; statement.text =INSERT：字段从类别; statement.parameters [：域] =*; 的Statement.execute;

不工作（SQL语法错误：表）：

sqlite的的

INSERT：场FROM：表，其中的参数：场=*和：表=分类

AS3 的

var语句：的SQLStatement =新的SQLStatement（）; statement.connection =连接; statement.text =INSERT：场FROM：表; statement.parameters [：域] =*; statement.parameters [：表] =类别; 的Statement.execute;

解决方案

一般人不能使用SQL参数/占位符的数据库标识符的（表，列，视图，模式等）或数据库功能（例如， CURRENT_DATE ），而只是结合文字的值的。

使用参数化（又名prepared）报表服务器端支持，数据库引擎分析查询一次，记住了任何参数的peculiars - 它们的类型，最大长度，precisions等 - - 你会绑定在已解析的查询的后续执行。但查询不能正确解析到，如果关键位的语法元素，如数据库对象，是未知的。

所以，人们一般要替换表名自己，在存储过程或在客户端code，即动态的邻接/内插/凡是要正确执行的SQL语句。在任何情况下，请记得使用SQL的API函数的引用数据库标识符的，因为API不会为你做它。

I'm developing an application in AIR via Flex, but I'm not seeing where I'm going wrong with SQLite (I'm used to MySQL). Parameters work, but only in certain instances. Is this part of the built-in sanitation system against sql injection? Thanks for any help!

Works:

sqlite

"INSERT :Fields FROM Category", where the parameter is :Fields = "*"

as3

var statement:SQLStatement = new SQLStatement(); statement.connection = connection; statement.text = "INSERT :Fields FROM Category"; statement.parameters[":Fields"] = "*"; statement.execute;

Doesn't Work (SQL syntax error at ":Table"):

sqlite

"INSERT :Fields FROM :Table", where the parameters are :Fields = "*" and :Table = "Category"

as3

var statement:SQLStatement = new SQLStatement(); statement.connection = connection; statement.text = "INSERT :Fields FROM :Table"; statement.parameters[":Fields"] = "*"; statement.parameters[":Table"] = "Category"; statement.execute;

解决方案

Generally one cannot use SQL parameters/placeholders for database identifiers (tables, columns, views, schemas, etc.) or database functions (e.g., CURRENT_DATE), but instead only for binding literal values.

With server-side support for parameterized (a.k.a. prepared) statements, the DB engine parses your query once, remembering out the peculiars of any parameters -- their types, max lengths, precisions, etc. -- that you will bind in subsequent executions of the already-parsed query. But the query cannot be properly parsed into its syntactic elements if critical bits, like database objects, are unknown.

So, one generally has to substitute table names oneself, in a stored procedure or in client code which dynamically concats/interpolates/whatevers the SQL statement to be properly executed. In any case, please remember to use your SQL API's function for quoting database identifiers, since the API won't do it for you.