Questions"Why does binding values make you immune to injection attacks?" "What does binding values do?" "Why can't I bind the name of a table?" AnswerWhen you prepare a statement in SQLite, SQLite actually compiles your statement down to code that runs on an internal VM As SQLite compiles your SQL, the placeholders "?" become code that says "get this value from memory" to the VM. The value doesn't need to exist until the code executes on the VM Binding values fixes everything so that when the VM does "get this value from memory", the bound value will be pulled in The difference is that when you paste the value into the query, sqlite's parser/compiler sees it. When you bind the value, only SQLite's VM ever sees it, as a value. That's why you can't bind table names or other SQL code: Because SQLite needs to know those when it's compiling the code for the VM [eg, so it can decide which indices to use] |