Thanks Pavel! Vance
Pavel Ivanov wrote: >> Is there documentation that talks about about the various binding place >> holders or is this a standard SQL construct? > > Probably this will help you: http://www.sqlite.org/c3ref/bind_blob.html. > > > Pavel > > On Tue, Mar 23, 2010 at 3:48 PM, Vance E. Neff <ven...@intouchmi.com> wrote: >> Thanks to all those who responded! It was quite educational. >> I'm using the zentus java jdbc wrapper. It seems to only support an >> index # for the binding index so I'm stuck with being careful as to how >> I count ?s. >> Is there documentation that talks about about the various binding place >> holders or is this a standard SQL construct? >> >> Vance >> >> D. Richard Hipp wrote: >>> On Mar 19, 2010, at 3:29 PM, David Bicking wrote: >>> >>>> --- On Fri, 3/19/10, Vance E. Neff <ven...@intouchmi.com> wrote: >>>> >>>> <snip> >>>>> UPDATE table1 set (?, ?, ?) WHERE col1=? and col2=?; >>>>> >>>>> I've never used binding before but have known it is a good >>>>> idea in order >>>>> to avoid injection of bad stuff. >>>>> >>>>> Vance >>>>> >>>> You count the question marks from left to right. >>>> >>>>> UPDATE table1 set (<1>, <2>, <3>) WHERE col1=<4> and col2=<5>; >>>> You can also put the index number you want to use after the ? so >>>> they can be in any order you want. >>> Better still is to use a symbolic name for the parameters. The >>> symbolic names can be any identifier that begins with $, :, or @. >>> Examples: >>> >>> UPDATE table1 SET col1=$c1val, co...@c2val, col3=:c3val >>> WHERE co...@c2val AND col3=:c3val; >>> >>> You still have to translate the symbolic name into a "parameter index" >>> before you bind it. The sqlite3_bind_parameter_index() routine will >>> do that for you. >>> >>> In the programs I write, I always try to use symbolic names for >>> parameters and I rig the infrastructure to handle the mapping from >>> symbolic name to parameter index. For example, if you are using the >>> TCL interface to SQLite, you just specify TCL variables embedded in >>> the SQL: >>> >>> db eval {UPDATE table1 SET col1=$c1val WHERE col2=$c2val} >>> >>> In the statement above, the TCL interface automatically looks up the >>> values of TCL variables $c1val and $c2val and binds them appropriately >>> before running the statement. It doesn't get any cleaner than this. >>> Unfortunately, other programming languages require more complex >>> syntax. In the implementation of "Fossil" I do this: >>> >>> db_prepare(&stmt, "UPDATE table1 SET col1=$c1val WHERE col2= >>> $c2val"); >>> db_bind_int(&stmt, "$c1val", 123); >>> db_bind_double(&stmt, "$c2val, 456.78); >>> db_step(&stmt); >>> db_finalize(&stmt); >>> >>> The db_bind_int() and db_bind_double() and similar routines wrap the >>> sqlite3_bind_xxxxx() and sqlite3_bind_parameter_index() calls. >>> >>> If we've learned one thing over the history of computing it is that >>> programmers are notoriously bad at counting parameters and that >>> symbolic names tend to be much better at avoiding bugs. >>> >>> D. Richard Hipp >>> d...@hwaci.com >>> >>> >>> >>> _______________________________________________ >>> sqlite-users mailing list >>> sqlite-users@sqlite.org >>> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users >>> >>> >> _______________________________________________ >> sqlite-users mailing list >> sqlite-users@sqlite.org >> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users >> > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > > _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
