如何引用 LuaSQL 的值?

2021-12-30 00:00:00 sql escaping lua sql-injection sqlite

LuaSQL,它似乎是 Lua 中大多数 SQL 数据库系统的规范库,但没有'似乎没有任何用于在查询中引用/转义值的工具.我正在编写一个使用 SQLite 作为后端的应用程序,我很想使用 Python 的 DB-API:

LuaSQL, which seems to be the canonical library for most SQL database systems in Lua, doesn't seem to have any facilities for quoting/escaping values in queries. I'm writing an application that uses SQLite as a backend, and I'd love to use an interface like the one specified by Python's DB-API:

c.execute('select * from stocks where symbol=?', t)

但我什至会接受一些更愚蠢的东西,比如:

but I'd even settle for something even dumber, like:

conn:execute("select * from stocks where symbol=" + luasql.sqlite.quote(t))

是否有其他 Lua 库支持 SQLite 引用?(LuaSQLite3 似乎没有.)还是我遗漏了一些关于 LuaSQL 的内容?我担心滚动我自己的解决方案(使用正则表达式或其他东西)并出错.我应该为 sqlite3_snprintf 编写一个包装器吗?

Are there any other Lua libraries that support quoting for SQLite? (LuaSQLite3 doesn't seem to.) Or am I missing something about LuaSQL? I'm worried about rolling my own solution (with regexes or something) and getting it wrong. Should I just write a wrapper for sqlite3_snprintf?

推荐答案

我有一段时间没看 LuaSQL 但上次我检查它不支持它.我使用 Lua-Sqlite3.

I haven't looked at LuaSQL in a while but last time I checked it didn't support it. I use Lua-Sqlite3.

require("sqlite3")

db = sqlite3.open_memory()

db:exec[[ CREATE TABLE tbl( first_name TEXT, last_name TEXT ); ]]

stmt = db:prepare[[ INSERT INTO tbl(first_name, last_name) VALUES(:first_name, :last_name) ]]

stmt:bind({first_name="hawkeye", last_name="pierce"}):exec()
stmt:bind({first_name="henry", last_name="blake"}):exec()

for r in db:rows("SELECT * FROM tbl") do
    print(r.first_name,r.last_name)
end

相关文章