All geek questions in one place

Sqlite query with question mark

I have doubts about SQLite query. I have a table with four rows and three columns in some sample sqlite iOS database code.

and I retrieve the data from the table with the query: -

 Select * from table where column_name=? ;

Am I having a problem with column_name=? according to the sample code. What does it mean ? ..

used to increase lines?

+6
source share
3 answers

What? is a placeholder for the real value, the value that you must bind to the compiled expression. This link details the binding.

The reason you bind values ​​rather than just putting them in the query string is because it protects against SQL injection, which can happen if you use values ​​provided directly from the user.

+5
source

? represents a placeholder that you will associate with a value (for example, to set a text value, use sqlite3_bind_text after the sqlite3_prepare_v2 statement, but before executing it with sqlite3_step .

See sqlite3_bind documentation.

This is a very important construct to know and use, because you never want to build your SQL with stringWithFormat . Using sqlite3_bind , you get rid of the need to write code that avoids any quotes that you might have at your input, for example. you are trying to insert the values ​​of Joe Bar and Grill (where the apostrophe will corrupt your SQL if you use single quotes) or Dwayne "The Rock" Johnson (where the quotes will corrupt your SQL if you use double quotes). It also protects you from SQL injection attacks. Definitely use sqlite3_bind instead of manually creating SQL statements.

+2
source

I hope this can help you ... "?" the sign is used for ....

This usually implies a prepared statement where parameters are filled in later. (see, for example, http://en.wikipedia.org/wiki/Prepared_statements#Parameterized_statements ).

OR

In some operations, the parameters are unknown when the statement is ready, because each time the statement is executed, a different value may be inserted. In these instructions, you can use place-mark (?) Placeholder, where the parameter must be provided when executing the statement.

OR

Although PreparedStatement objects can be used for SQL statements without parameters, you are most likely to use them for SQL statements that accept parameters. The advantage of using SQL statements that use parameters is that you can use the same statement and supply it with different values ​​each time you execute it.

+1
source

Source: https://habr.com/ru/post/944523/

More articles:


All Articles