SQLite 参数 - 不允许表名作为参数
我正在通过 Flex 在 AIR 中开发应用程序,但我没有发现 SQLite 哪里出了问题(我已经习惯了 MySQL).参数有效,但仅在某些情况下有效.这部分是针对sql注入的内置卫生系统吗?感谢您的帮助!
I'm developing an application in AIR via Flex, but I'm not seeing where I'm going wrong with SQLite (I'm used to MySQL). Parameters work, but only in certain instances. Is this part of the built-in sanitation system against sql injection? Thanks for any help!
作品:
sqlite
"INSERT :Fields FROM Category",其中参数为:Fields = "*"
"INSERT :Fields FROM Category", where the parameter is :Fields = "*"
as3
var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM Category";
statement.parameters[":Fields"] = "*";
statement.execute;
不起作用(:Table"处的 SQL 语法错误):
sqlite
"INSERT :Fields FROM :Table",其中参数为:Fields = "*" 和:Table = "Category"
"INSERT :Fields FROM :Table", where the parameters are :Fields = "*" and :Table = "Category"
as3
var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM :Table";
statement.parameters[":Fields"] = "*";
statement.parameters[":Table"] = "Category";
statement.execute;
推荐答案
通常不能将 SQL 参数/占位符用于数据库标识符(表、列、视图、架构等)或数据库函数(例如,CURRENT_DATE),但仅用于绑定文字 values.
Generally one cannot use SQL parameters/placeholders for database identifiers (tables, columns, views, schemas, etc.) or database functions (e.g., CURRENT_DATE), but instead only for binding literal values.
通过服务器端对参数化(又名准备好的)语句的支持,数据库引擎会解析您的查询一次,记住您将绑定的任何参数的特性——它们的类型、最大长度、精度等已解析查询的后续执行.但是,如果关键位(如数据库对象)未知,则无法将查询正确解析为其句法元素.
With server-side support for parameterized (a.k.a. prepared) statements, the DB engine parses your query once, remembering out the peculiars of any parameters -- their types, max lengths, precisions, etc. -- that you will bind in subsequent executions of the already-parsed query. But the query cannot be properly parsed into its syntactic elements if critical bits, like database objects, are unknown.
因此,通常必须自己替换表名,在存储过程或客户端代码中,动态连接/插值/任何要正确执行的 SQL 语句.在任何情况下,请记住使用您的 SQL API 函数来引用数据库标识符,因为 API 不会为您做这件事.
So, one generally has to substitute table names oneself, in a stored procedure or in client code which dynamically concats/interpolates/whatevers the SQL statement to be properly executed. In any case, please remember to use your SQL API's function for quoting database identifiers, since the API won't do it for you.
相关文章