1

By looking an introductory tutorial on how to use SQLite in Swift (in the iOS context), I saw the following line of code:

let queryString = "INSERT INTO Heroes (name, powerrank) VALUES (?,?)"

tutorial URL : https://www.simplifiedios.net/swift-sqlite-tutorial/

I don't understand if this is a Swift feature of something which will be parsed by SQL

It it some kind of string interpolation, like:

var s = "The value is \(value)"

Or is it something else?

Serge Hulne
  • 594
  • 5
  • 17
  • 3
    Those are placeholders for the data to be sent separately, to avoid SQL injection. They are importantly **not** string interpolation. See https://bobby-tables.com/ and https://stackoverflow.com/q/60174/157957 etc – IMSoP Jun 21 '22 at 08:50
  • If it's not Swift and not SQL, then what is it? – Serge Hulne Jun 21 '22 at 09:44
  • 1
    I guess they are SQL, in a way - they are interpreted *by the database implementation* as "a piece of data will be provided separately for use here". As I say, read up about what "SQL Injection" is, and how they prevent it. – IMSoP Jun 21 '22 at 09:53
  • So, a SQL dialect of sorts... – Serge Hulne Jun 21 '22 at 10:23
  • If I were you, I'd worry less about trying to find a neat label for it, and more on learning how to use it correctly, which you will achieve by reading about how to prevent SQL Injection. – IMSoP Jun 21 '22 at 10:27

1 Answers1

0

This other tutorial sheds some light regarding the meaning of said syntax:

https://www.raywenderlich.com/6620276-sqlite-with-swift-tutorial-getting-started

It says:

Here, you define a value for the ? placeholder. The function’s name — sqlite3_bind_int() — implies you’re binding an Int to the statement. The first parameter of the function is the statement to bind to, while the second is a non-zero-based index for the position of the ? you’re binding to. The third and final parameter is the value itself. This binding call returns a status code, but for now, you assume that it succeeds.

Serge Hulne
  • 594
  • 5
  • 17