execSQL:bindargs更好吗? [英] execSQL: is bindargs better?

问题描述

我想知道execSQL方法中是否可以使用1或2个参数.
如果可以使用对象直接在SQLite数据库上执行操作，为什么还要使用第二种方法?

I was wondering in the execSQL method which can take 1 or 2 arguments.
Why using the second method, if I can use an object to directly do my operation on an SQLite db?

例如:

db.execSQL("INSERT INTO "+ TableName +" VALUES (null, ?)",
        new Object[] { type.getName() })

这比使用它更好

db.execSQL("INSERT INTO "+ TableName +" VALUES (null,"+  type.getName() +")")

第一个示例更安全吗?
执行时速度更快?
更容易阅读...
还是一样?

is the 1st example more secure?
faster when executing?
easier to read...
or is it the same?

推荐答案

方法 1 更好.

例如，它使您免于SQL注入.
因为它为您处理数据类型.

It saves you from SQL injection, for instance.
Because it handles the datatypes for you.

表示在需要时通过添加字符串定界符并转换撇号来转换字符串.

Meaning that it converts the strings when needed by adding the string delimiters and converting the apostrophes.

即:

要正常工作，您应该像

那样编写方法 2

To work correctly, you should write method 2 like

db.execSQL("INSERT INTO " + TableName + " VALUES (null, '" +  type.getName().replace("'", "''") + "')");

所以...

is the 1st example more secure?是.
faster when executing?不确定是否.
easier to read是的，一旦您习惯了(主要是基于意见).
... or is it the same?不，关于上面的讨论.

is the 1st example more secure? Yes.
faster when executing? Not sure if it is.
easier to read Yes, once you get used to it (primarily opinion based).
... or is it the same? No, for what discussed above.

这篇关于execSQL:bindargs更好吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！