I have a table with four rows and three columns in some sample code of the iOS sqlite database.
I am fetching data from the table with the query
Select * from table where column_name=? ;
I have problem with the column_name=?
according to the sample code: What does the ?
mean?
Is it used in incrementing the rows?
SQLite doesn't support output parameters. Return values in the query results instead.
SQLite doesn't support native variable syntax, but you can achieve virtually the same using an in-memory temp table.
A prepared statement object is the compiled object code. All SQL must be converted into a prepared statement before it can be run. The life-cycle of a prepared statement object usually goes like this: Create the prepared statement object using sqlite3_prepare_v2().
The ? is a placeholder for a real value, a value you must bind to the compiled statement. This link goes into detail concerning the bind.
The reason you bind values rather than just put them in the query string is because it protects from sql injection attacks - which could happen if you're using values provided directly from the user.
The ?
represents a placeholder that you'll bind with a value (e.g. to set a text value, use sqlite3_bind_text
after you sqlite3_prepare_v2
the statement, but before you perform it with sqlite3_step
.
See sqlite3_bind
documentation.
This is a very important construct to know and to use, because you never want to build your SQL using stringWithFormat
. By using sqlite3_bind
, you save yourself from having to write code that escapes any quotation marks you might have in your input, e.g. you're trying to insert values of Joe's Bar and Grill
(where the apostrophe will mess up your SQL if you're using single quotation marks) or Dwayne "The Rock" Johnson
(where the quotes will mess up your SQL if you're using double quotation marks). It also protects you against SQL injection attacks. Definitely use sqlite3_bind
rather than building SQL statements manually.
"?" is used for...
This usually implies a prepared statement, where the parameters are filled in later. (see e.g. http://en.wikipedia.org/wiki/Prepared_statements#Parameterized_statements).
OR
In some statements, parameters are unknown when the statement is prepared because a different value can be inserted each time the statement is executed. In these statements, you can use a question-mark ( ? ) placeholder where a parameter must be supplied when the statement is executed.
OR
Although PreparedStatement objects can be used for SQL statements with no parameters, you probably use them most often for SQL statements that take parameters. The advantage of using SQL statements that take parameters is that you can use the same statement and supply it with different values each time you execute it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With