SQLite Parameters - Not allowing tablename as parameter

Question

I\'m developing an application in AIR via Flex, but I\'m not seeing where I\'m going wrong with SQLite (I\'m used to MySQL). Parameters work, but only in certain instances.

Answer 1

Not sure if this is the same but I ran across something similar in Java. Basically you can't add a table as a parameter so you must generate the statement like so:

var statement:SQLStatement = new SQLStatement();
statement.connection = connection;
statement.text = stringUtil.substitute("INSERT :Fields FROM {0}", "Category");
statement.parameters[":Fields"] = "*";
statement.execute;

This is mostly likely not the securest solution, so you might want to some custom validation of the data before you add the table name.. so someone doesn't try to send it the table name ";drop tableName..."