Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sqlite query with question mark

I have a table with four rows and three columns in some sample code of the iOS sqlite database.

I am fetching data from the table with the query

Select * from table where column_name=? ;

I have problem with the column_name=? according to the sample code: What does the ? mean?

Is it used in incrementing the rows?

like image 895
user2353519 Avatar asked May 08 '13 12:05

user2353519


People also ask

Does SQLite support parameterized query?

SQLite doesn't support output parameters. Return values in the query results instead.

Can you declare variables in SQLite?

SQLite doesn't support native variable syntax, but you can achieve virtually the same using an in-memory temp table.

What is SQLite prepared statement?

A prepared statement object is the compiled object code. All SQL must be converted into a prepared statement before it can be run. The life-cycle of a prepared statement object usually goes like this: Create the prepared statement object using sqlite3_prepare_v2().


3 Answers

The ? is a placeholder for a real value, a value you must bind to the compiled statement. This link goes into detail concerning the bind.

The reason you bind values rather than just put them in the query string is because it protects from sql injection attacks - which could happen if you're using values provided directly from the user.

like image 63
user352891 Avatar answered Nov 09 '22 08:11

user352891


The ? represents a placeholder that you'll bind with a value (e.g. to set a text value, use sqlite3_bind_text after you sqlite3_prepare_v2 the statement, but before you perform it with sqlite3_step.

See sqlite3_bind documentation.

This is a very important construct to know and to use, because you never want to build your SQL using stringWithFormat. By using sqlite3_bind, you save yourself from having to write code that escapes any quotation marks you might have in your input, e.g. you're trying to insert values of Joe's Bar and Grill (where the apostrophe will mess up your SQL if you're using single quotation marks) or Dwayne "The Rock" Johnson (where the quotes will mess up your SQL if you're using double quotation marks). It also protects you against SQL injection attacks. Definitely use sqlite3_bind rather than building SQL statements manually.

like image 43
Rob Avatar answered Nov 09 '22 07:11

Rob


"?" is used for...

This usually implies a prepared statement, where the parameters are filled in later. (see e.g. http://en.wikipedia.org/wiki/Prepared_statements#Parameterized_statements).

OR

In some statements, parameters are unknown when the statement is prepared because a different value can be inserted each time the statement is executed. In these statements, you can use a question-mark ( ? ) placeholder where a parameter must be supplied when the statement is executed.

OR

Although PreparedStatement objects can be used for SQL statements with no parameters, you probably use them most often for SQL statements that take parameters. The advantage of using SQL statements that take parameters is that you can use the same statement and supply it with different values each time you execute it.

like image 28
Dharmbir Singh Avatar answered Nov 09 '22 06:11

Dharmbir Singh