我正在使用Appcelerator的Titanium开发平台在JavaScript中编写应用程序,以部署到Android移动平台。我正在尝试对SQLite数据库执行INSERT。
只要用户输入单引号或撇号,就会破坏插入查询。我究竟做错了什么?
var db = Ti.Database.install('db/kewGarden.sqlite', 'kewGarden');
var driveByData = {
"notes" : $.row3.getValue() // User entered string
};
driveByData = JSON.stringify(driveByData);
dbLib.saveRecording(saveDriveByDetailsSuccess, saveDriveByDetailsError, {
ref_id : newdriveById,
tableName : tableName,
data : driveByData
});
saveRecording : function(onSuccessCallback, onErrorCallback, options) {
var strReplaceData = options.data.replace("'", "\'");
db.execute("INSERT INTO g_temp (ref_id, table_name, data, site) VALUES (" + options.ref_id + ",'" + options.tableName + "','" + strReplaceData + "','" + options.site + "')");
},
此数据库的文档位于:
http://docs.appcelerator.com/platform/latest/#!/api/Titanium.Database.DB-method-execute
答案 0 :(得分:1)
使用参数,然后您不需要转义任何内容:
db.execute('INSERT INTO MyTable(ID, Name) VALUES(?, ?)', 123, name);
您的查询,
db.execute('INSERT INTO g_temp (ref_id, table_name, data, site) VALUES (?,?,?,?)',options.ref_id,options.tableName,options.data,options.site);