问号在 SQL 查询中代表什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3727688/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What does a question mark represent in SQL queries?
提问by egrunin
While going through some SQL books I found that examples tend to use question marks (?) in their queries. What does it represent?
在阅读一些 SQL 书籍时,我发现示例倾向于?在查询中使用问号 ( )。它代表什么?
回答by egrunin
What you are seeing is a parameterized query. They are frequently used when executing dynamic SQL from a program.
您看到的是参数化查询。从程序执行动态 SQL 时经常使用它们。
For example, instead of writing this (note: pseudocode):
例如,而不是写这个(注意:伪代码):
ODBCCommand cmd = new ODBCCommand("SELECT thingA FROM tableA WHERE thingB = 7")
result = cmd.Execute()
You write this:
你这样写:
ODBCCommand cmd = new ODBCCommand("SELECT thingA FROM tableA WHERE thingB = ?")
cmd.Parameters.Add(7)
result = cmd.Execute()
This has many advantages, as is probably obvious. One of the most important: the library functions which parse your parameters are clever, and ensure that strings are escaped properly. For example, if you write this:
这有许多优点,这可能是显而易见的。最重要的一个:解析参数的库函数很聪明,并确保字符串被正确转义。例如,如果你这样写:
string s = getStudentName()
cmd.CommandText = "SELECT * FROM students WHERE (name = '" + s + "')"
cmd.Execute()
What happens when the user enters this?
当用户输入时会发生什么?
Robert'); DROP TABLE students; --
(Answer is here)
(答案在这里)
Write this instead:
改写这个:
s = getStudentName()
cmd.CommandText = "SELECT * FROM students WHERE name = ?"
cmd.Parameters.Add(s)
cmd.Execute()
Then the library will sanitizethe input, producing this:
然后库将清理输入,产生这个:
"SELECT * FROM students where name = 'Robert''); DROP TABLE students; --'"
Not all DBMS's use ?. MS SQL uses namedparameters, which I consider a hugeimprovement:
并非所有 DBMS 都使用?. MS SQL 使用命名参数,我认为这是一个巨大的改进:
cmd.Text = "SELECT thingA FROM tableA WHERE thingB = @varname"
cmd.Parameters.AddWithValue("@varname", 7)
result = cmd.Execute()
回答by SLaks
The ?is an unnamed parameter which can be filled in by a program running the query to avoid SQL injection.
这?是一个未命名的参数,可以由运行查询的程序填充以避免SQL 注入。
回答by Buhake Sindi
The ?is to allow Parameterized Query. These parameterized query is to allow type-specific value when replacing the ?with their respective value.
这?是允许参数化查询。这些参数化查询是在?用它们各自的值替换 时允许类型特定的值。
That's all to it.
这就是全部。
Here's a reasonof why it's better to use Parameterized Query. Basically, it's easier to read and debug.
这里有一个原因,为什么它更好地使用参数化查询。基本上,它更容易阅读和调试。
回答by amorfis
It's a parameter. You can specify it when executing query.
这是一个参数。您可以在执行查询时指定它。
回答by vicatcu
I don't think that has any meaning in SQL. You might be looking at Prepared Statements in JDBC or something. In that case, the question marks are placeholders for parameters to the statement.
我认为这在 SQL 中没有任何意义。您可能正在查看 JDBC 中的 Prepared Statements 或其他内容。在这种情况下,问号是语句参数的占位符。
回答by Jens Schauder
It normally represents a parameter to be supplied by client.
它通常表示由客户端提供的参数。
