問題描述

我正在通過 Flex 在 AIR 中開發(fā)應(yīng)用程序，但我沒有發(fā)現(xiàn) SQLite 哪里出了問題(我已經(jīng)習(xí)慣了 MySQL).參數(shù)有效，但僅在某些情況下有效.這部分是針對sql注入的內(nèi)置衛(wèi)生系統(tǒng)嗎?感謝您的幫助！

I'm developing an application in AIR via Flex, but I'm not seeing where I'm going wrong with SQLite (I'm used to MySQL). Parameters work, but only in certain instances. Is this part of the built-in sanitation system against sql injection? Thanks for any help!

作品:

sqlite

"INSERT :Fields FROM Category"，其中參數(shù)為:Fields = "*"

"INSERT :Fields FROM Category", where the parameter is :Fields = "*"

as3

var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM Category";
statement.parameters[":Fields"] = "*";
statement.execute;

不起作用(:Table"處的 SQL 語法錯誤):

sqlite

"INSERT :Fields FROM :Table"，其中參數(shù)為:Fields = "*" 和:Table = "Category"

"INSERT :Fields FROM :Table", where the parameters are :Fields = "*" and :Table = "Category"

as3

var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = "INSERT :Fields FROM :Table";
statement.parameters[":Fields"] = "*";
statement.parameters[":Table"] = "Category";
statement.execute;

推薦答案

通常不能將 SQL 參數(shù)/占位符用于數(shù)據(jù)庫標(biāo)識符(表、列、視圖、架構(gòu)等)或數(shù)據(jù)庫函數(shù)(例如，CURRENT_DATE)，但僅用于綁定文字 values.

Generally one cannot use SQL parameters/placeholders for database identifiers (tables, columns, views, schemas, etc.) or database functions (e.g., CURRENT_DATE), but instead only for binding literal values.

通過服務(wù)器端對參數(shù)化(又名準(zhǔn)備好的)語句的支持，數(shù)據(jù)庫引擎會解析您的查詢一次，記住您將綁定的任何參數(shù)的特性——它們的類型、最大長度、精度等已解析查詢的后續(xù)執(zhí)行.但是，如果關(guān)鍵位(如數(shù)據(jù)庫對象)未知，則無法將查詢正確解析為其句法元素.

With server-side support for parameterized (a.k.a. prepared) statements, the DB engine parses your query once, remembering out the peculiars of any parameters -- their types, max lengths, precisions, etc. -- that you will bind in subsequent executions of the already-parsed query. But the query cannot be properly parsed into its syntactic elements if critical bits, like database objects, are unknown.

因此，通常必須自己替換表名，在存儲過程或客戶端代碼中，動態(tài)連接/插值/任何要正確執(zhí)行的 SQL 語句.在任何情況下，請記住使用您的 SQL API 函數(shù)來引用數(shù)據(jù)庫標(biāo)識符，因?yàn)?API 不會為您做這件事.

So, one generally has to substitute table names oneself, in a stored procedure or in client code which dynamically concats/interpolates/whatevers the SQL statement to be properly executed. In any case, please remember to use your SQL API's function for quoting database identifiers, since the API won't do it for you.

這篇關(guān)于SQLite 參數(shù) - 不允許表名作為參數(shù)的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！