SQLiteParameter不能将TableName作为参数

http://stackoverflow.com/questions/1274432/sqlite-parameters-not-allowing-tablename-as-parameter

 

Generally one cannot use SQL parameters/placeholders for database identifiers (tables, columns, views, schemas, etc.) or database functions (e.g., CURRENT_DATE), but instead only for binding literal values.

placeholder 占位符

identifiers 标识符，认同者；检验人，鉴定人

literal 文字的；逐字的；无夸张的

 

With server-side support for parameterized (a.k.a. prepared) statements, the DB engine parses your query once, remembering out the peculiars of any parameters -- their types, max lengths, precisions, etc. -- that you will bind in subsequent executions of the already-parsed query. But the query cannot be properly parsed into its syntactic elements if critical bits, like database objects, are unknown.

peculiar 特权；特有财产

precisions 精度，[数] 精密度；精确

subsequent  后来的，随后的

syntactic  句法的；语法的；依据造句法的

critical  鉴定的；[核] 临界的；批评的，爱挑剔的；危险的；决定性的；评论的

 

So, one generally has to substitute table names oneself, in a stored procedure or in client code which dynamically concats/interpolates/whatevers the SQL statement to be properly executed. In any case, please remember to use your SQL API's function for quoting database identifiers, since the API won't do it for you.

substitute  代用品；代替者

stored procedur 存储过程

concat 合并多个数组；合并多个字符串

interpolate   vt. 篡改；插入新语句    vi. 插入；篡改

 

quote    n. 引用   vi. 报价；引用；引证   vt. 报价；引述；举证

作者:Chuck Lu    GitHub