I'm using the Ruby Sqlite3 library to insert some records into a database. I'm having issues getting the statements below to work (I've tried all variants that are posted); I get a SQLite3::RangeException - bind or column index out of range:
exception.
The query works if I just hardcode values into it... so what am I doing wrong?
statement = db.prepare("insert into IntegrationLogin (Username, Password, ProjectID) values (\"?1\", \"?2\", 1)")
statement.execute [params['username'], params['password']]
statement = db.prepare("insert into IntegrationLog开发者_如何学Pythonin (Username, Password, ProjectID) values (\"?1\", \"?2\", 1)")
statement.execute params['username'], params['password']
statement = db.prepare("insert into IntegrationLogin (Username, Password, ProjectID) values (\"?\", \"?\", 1)")
statement.execute params['username'], params['password']
I think your problem lies with trying to encapsulate the parameter indicators (?) in quotes. This is unnecessary as the driver will wrap the string parameter in quotes and perform any additional escaping before executing the query. When I removed the quotes you example queries executed fine.
It looks like your superfluous quotations are escaping the parameter indicators somehow and the driver isn't seeing them.
Use this:
statement = db.prepare("insert into IntegrationLogin (Username, Password, ProjectID) values (?, ?, 1)")
You were making this harder than it needed to be. Don't worry, this kind of parameter binding completely prevents SQL injection, even without the extra quotes.
精彩评论