Is there any C SQLite API for quoting/escaping the name of a table?

 

It's impossible to sqlite3_bind_text a table name because sqlite3_prepare_v2 fails to prepare a statement such as: 

SELECT * FROM ? ;

I presume the table name is needed to parse the statement, so the quoting needs to have happened before sqlite3_prepare_v2 .

Is there something like a sqlite3_quote_tablename ? Maybe it already exists under a name I can't recognize, but I can't find anything in the functions list.

your proposed sqlite3_quote_tablename function could sanitize the input to prevent sql injection attacks. To do this it could parse the input to make sure it is a string literal. http://sqlite.org/lang_expr.html#litvalue

If a table name has invalid characters in it you can enclose the table name in double quotes, like this. 

sqlite> create table "test table" (id);
sqlite> insert into "test table" values (1);
sqlite> select * from "test table";
id
----------
1

Of course you should avoid using invalid characters whenever possible. It complicates development and is almost always unnecessary (IMO the only time it is necessary is when you inherit a project that is already done this way and it's too big to change).

When using SQLite prepared statements with parameters the parameter: "specifies a placeholder in the expression for a literal value that is filled in at runtime "

Before executing any SQL statement, SQLite "compiles" the SQL string into a series of opcodes that are executed by an internal Virtual Machine. The table names and column names upon which the SQL statement operates are a necessary part of the compilation process.

You can use parameters to bind "values" to prepared statements like this: 

SELECT * FROM FOO WHERE name=?;

And then call sqlite3_bind_text() to bind the string gavinbeatty to the already compiled statement. However, this architecture means that you cannot use parameters like this: 

SELECT * FROM ? WHERE name=?;    // Can't bind table name as a parameter
SELECT * FROM FOO WHERE ?=10;    // Can't bind column name as a parameter
链接地址: http://www.djcxy.com/p/44554.html

上一篇: 从RabbitMQ队列中检索消息

下一篇: 有没有用于引用/转义表名称的C SQLite API?