是否可以在 Prepared Statements 或 QueryRunner.update() 中为表名或列名提供参数? [英] Is it possible to supply parameters for table or column name in Prepared Statements or QueryRunner.update()?

问题描述

从 ?在哪里 ?= ?

DELETE from ? WHERE ? = ?

是否可以为所有这些 ?s 输入参数?似乎如果我不提供字符串，就会出错.例如，它似乎只有在我有以下内容时才有效:

Is it possible to feed in parameters for all of these ?s? It seems that if I don't supply Strings, I get errors. For example, it only seems to work if I have something like:

从非营利组织中删除 WHERE nonpid = ?

DELETE from nonprofit WHERE nonpid = ?

它只需要这样的参数.

推荐答案

答案是否定的，您不能在准备好的语句中使用表名.准备好的语句仅适用于列值.

The answer is no you can not use table names in the prepared statements. The prepared statements will only work for column values.

这通常可以通过替代模式来规避，但如果您确实需要，您始终可以通过修改查询字符串将可选的表名称构建到查询中.如果您这样做，请确保清理您的输入以防止 sql 注入.

This usually can be circumvented with an alternate schema, but if you really need to you can always build the optional Table name into the query by modifying the query string. If you do so make sure to sanitize your input to prevent sql injection.

这篇关于是否可以在 Prepared Statements 或 QueryRunner.update() 中为表名或列名提供参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！