On 6/9/17, Zach C. <fxc...@gmail.com> wrote:
> I was partially unclear with using a constant table name here; what I
> actually need as well is the table name as effectively a const that I
> control as well. So more like
>
> mydb eval {$SELECT json FROM $table WHERE json_extract(json, '$.hash') =
> $someId}
Like this then:
mydb eval "SELECT json FROM $table WHERE
json_extract(json,'\$.hash')=\$someId"
Put a backslash \ before every $ that you want passed down into
SQLite. And not that you definitely want the $ on $someId passed down
into SQLite. You do *not* want TCL to expand $someId for you.
>
> The problem is this will cause $table to be interpolated as a SQL string,
> which it is not: it is a table name. But even if I _do_ make the table name
> a literal, as in this query:
>
> % set hash 24471899
> 24471899
> % mydb eval {SELECT json FROM NotImportant WHERE json_extract(json,
> '$.hash') = $hash}
>
> _and_ I'm using curly-brace evaluation, the json_extract fails.
>
> It isn't JSON1 because if I _directly_ interpolate (introducing the
> possibility of SQL injection) it works fine.
>
> Even if I make the JSON path its own variable and do the same, it fails:
>
> % set json_path {$.hash}
> $.hash
> % mydb eval {SELECT json FROM NotImportant WHERE json_extract(json,
> $json_path) = $hash}
> %
>
> So I'm kind of at a loss.
>
--
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
