SQLite INNER JOIN中的“模糊列名”
发布时间:2020-12-12 23:42:57 所属栏目:百科 来源:网络整理
导读:我在SQLite DB,INVITEM和SHOPITEM中有两个表.他们的共享属性是ItemId,我想执行INNER JOIN.这是查询: SELECT INVITEM.CharId AS CharId,INVITEM.ItemId AS ItemId FROM (INVITEM as INVITEM INNER JOIN SHOPITEM AS SHOPITEM ON SHOPITEM.ItemId = INVITEM.I
我在SQLite DB,INVITEM和SHOPITEM中有两个表.他们的共享属性是ItemId,我想执行INNER JOIN.这是查询:
SELECT INVITEM.CharId AS CharId,INVITEM.ItemId AS ItemId
FROM (INVITEM as INVITEM
INNER JOIN SHOPITEM AS SHOPITEM
ON SHOPITEM.ItemId = INVITEM.ItemId)
WHERE ItemId = 3;
SQLite不喜欢它: SQL error: ambiguous column name: ItemId 如果我写WHERE INVITEM.ItemId = 3,则错误消失,但由于WHERE条件或多或少是用户指定的,所以我宁愿让它工作而不必指定表. NATURAL JOIN似乎解决了这个问题,但我不确定解决方案是否足够通用(即我可以在这种情况下使用,但我不确定我是否可以在每种情况下使用) 任何可以解决问题的替代SQL语法? 我会避免允许用户直接编写SQL子句.这是SQL Injection漏洞的来源.如果您需要查询灵活,请尝试解析用户的输入并添加适当的where子句. 这里有一些C#代码来展示一般的想法 // from user input
string user_column = "ItemID";
string user_value = "3";
string sql = "SELECT INVITEM.CharId AS CharId,INVITEM.ItemId AS ItemId FROM (INVITEM as INVITEM INNER JOIN SHOPITEM AS SHOPITEM ON SHOPITEM.ItemId = INVITEM.ItemId) ";
if (user_column == "ItemID")
{
// using Int32.Parse here to prevent rubbish like "0 OR 1=1; --" being entered.
sql += string.Format("WHERE INVITEM.ItemID={0}",Int32.Parse(user_value));
}
显然,如果您正在处理多个子句,则必须在后续子句中将AND替换为WHERE. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |