search

2shady4u / godot-sqlite

GDExtension wrapper for SQLite (Godot 4.x+)
MIT License
973 stars 83 forks source link

Syntax error thrown when ? used in query_with_bindings #171

Closed VoxelTek closed 8 months ago

VoxelTek commented 8 months ago

Environment:

Issue description: Attempting to use query_with_bindings throws a syntax error:

   --> SQL error: near "?": syntax error

Steps to reproduce: _(database already loaded into responses_db)_

var possible_id = randi() % (2^14)
var check_user_ID : String = "SELECT * FROM ? WHERE User_ID = ?;"
var ID_params : Array = ["Users", possible_id]
var ID_check_success = responses_db.query_with_bindings(check_user_ID, ID_params)

Error thrown: image

First error caused by this earlier code snippet:

var get_count_string : String = "SELECT COUNT(*) FROM ?;"
var count_param : Array = ["Items"]
var item_count_success = items_db.query_with_bindings(get_count_string, count_param)

Minimal reproduction project: Likely unnecessary, please inform if required.

Additional context Installed godot-sqlite from Godot Asset Library, as was recommended.

2shady4u commented 8 months ago

Hello @VoxelTek 😄

This is a restriction of SQLite: You can't bind table_names nor column_names in SQLite 😢 See here: https://github.com/2shady4u/godot-sqlite?tab=readme-ov-file#functions

In your case you would have to do the following:

var possible_id = randi() % (2^14)
var table_name = "Users"
var check_user_ID : String = "SELECT * FROM " + table_name + " WHERE User_ID = ?;"
var ID_params : Array = [possible_id]
var ID_check_success = responses_db.query_with_bindings(check_user_ID, ID_params)
VoxelTek commented 8 months ago

Ah, damn. That's annoying, but thanks for your help! I was hoping to avoid having to do it this way in order to ensure inputs are sanitised, but ah well. I appreciate your rapid response, and I'm glad this project exists!

2shady4u commented 8 months ago

SQLite documentation: https://www.sqlite.org/cintro.html

Relevant section in Chapter 6: image