哪些字符不能用于 SQLite 数据库中的值?
我正在制作一个 Android 应用程序,并且使用了 SQLite 数据库。但我发现如果您键入单引号 (') 等字符(也用作主键),则数据将无法正确保存/检索。
是我的问题还是事实如此?如果是真的还有这样的角色吗?
谢谢。
@bdares 和 @mu 感谢您的提示,但是您能告诉我如何在 SQLite 中使用占位符和/或准备好的语句吗?
我以前一直使用直接字符串连接,但现在,这似乎是一种不好的做法,我想使用准备好的语句和/或占位符。
I'm making an Android app and I have used an SQLite database. But I found out if you type characters like single quotes ('), (also for using as the primary key) the data won't be saved/retrieved correctly.
Is it a problem with me or is it true? If its true are there any more characters like that?
Thanks.
@bdares and @mu Thanks for the tips, but can you please tell me how to use placeholders and/or prepared statements in SQLite?
I have always used direct String concatenation before but now, as it appears that's a bad practice, I would like to use prepared statements and/or placeholders.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您可能会遇到诸如 ASCII STOP 之类的字符和此类非打印字符的问题,但如果您使用准备好的语句和参数绑定,即使使用诸如
'之类的字符,您也不会有任何问题。如果您不想使用参数绑定和准备好的语句,则可以将所有输入
'替换为\'就可以了。SQL 通常使用
'作为其特殊字符来告知字符串文字何时开始或停止。如果您的输入包含此字符,它将停止将当前行视为字符串并开始将其视为命令。从安全角度来看,这不是一件好事。它还可以阻止您输入该字符,除非您通过在其前面放置反斜杠来“转义”它,这告诉 SQL 忽略'并继续将以下字符视为字符串,直到出现未转义的 < code>' 已满足。当然,反斜杠文字也可以转义为双反斜杠。准备好的语句通常如下所示:
不幸的是,我不知道您将使用什么库从 Android 访问 sqlite,所以我目前无法向您提供更多详细信息。
Possibly you'll have problems with characters like ASCII STOP and such non-printing characters, but if you use prepared statements and parameter binding, you won't have any trouble even with characters like
'.If you don't want to use parameter binding and prepared statements, you can replace all of your input
'with\'and you'll be fine.SQL typically uses
'as its special character to tell when a string literal starts or stops. If your input has this character, it will stop treating the current line as a string and start treating it as commands. This is not a good thing, security wise. It also keeps you from inputting that character unless you "escape" it by placing a backslash in front of it, which tells SQL to ignore the'and continue treating the following characters as a string until an unescaped'is met. Of course, backslash literals are also escaped as double-backslashes.Prepared statements typically look like this:
Unfortunately, I don't know exactly what library you'd be using to access sqlite from Android, so I can't give you more details at this time.
SQLite 语句对字符串使用单引号或双引号。例如,如果您需要使用 (') 插入字符串,则可以使用双引号 (") 将字符串括起来:
或反之亦然:
(当然,您需要转义任何 ( ") 在你的 Java 代码中。)
另一种方法是使用 SQLiteStatment(准备好的声明)和bindString()
至于“允许的字符”,SQLite内部将字符串(类型TEXT)存储为UTF-8或UTF-16。 Android 的构建使用默认的 UTF-8。因此,您可以存储您喜欢的任何字符串。
SQLite statements use quotes -- single or double -- for strings. If you need to INSERT a string with (') for example, you can use double quotes (") to wrap the string:
Or the other way around:
(Of course, you will need to escape any (") in your Java code.)
An alternative is to use a SQLiteStatment (Prepared statement) and bindString()
As for the "characters allowed", SQLite internally stores strings (type TEXT) as UTF-8 or UTF-16. Android's build uses the default of UTF-8. Therefor, you can store any string you like.
接受的答案是正确的,除了 Sqlite 将 ' 字符转义为 '' 而不是 \'
这取自此 答案
The accepted answer is correct, except that Sqlite escapes the ' character as '' and not as \'
This was taken from this answer
SQLite支持TEXT(类似于Java中的String)、INTEGER(类似于Java中的long)和REAL(类似于Java中的double)数据类型。所有其他类型都必须先转换为这些字段,然后再将其保存到数据库中。 SQLight 本身不会验证写入列的类型是否实际上是定义的类型,您可以将整数写入字符串列。
SQLite supports the data types TEXT (similar to String in Java), INTEGER (similar to long in Java) and REAL (similar to double in Java). All other types must be converted into on of these fields before saving them in the database. SQLight itself does not validate if the types written to the columns are actually of the defined type, you can write an integer into a string column.