Home/ Questions/Q 124803
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T05:03:30+00:00

I have two tables in a SQLite DB, INVITEM and SHOPITEM. Their shared attribute

  • 0

I have two tables in a SQLite DB, INVITEM and SHOPITEM. Their shared attribute is ItemId and I want to perform an INNER JOIN. Here’s the query:

    SELECT  INVITEM.CharId AS CharId,              INVITEM.ItemId AS ItemId        FROM  (INVITEM as INVITEM  INNER JOIN  SHOPITEM AS SHOPITEM          ON  SHOPITEM.ItemId = INVITEM.ItemId)      WHERE  ItemId = 3;

SQLite doesn’t like it :

SQL error: ambiguous column name: ItemId

The error goes away if I write WHERE INVITEM.ItemId = 3, but since the WHERE condition is more or less user-specified, I rather make it work without having to specify the table. NATURAL JOIN seems to solve the issue, but I’m not sure if the solution is general enough (ie I could use in this case, but I’m not sure if I can use in every case)

Any alternate SQL syntax that would fix the problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. I would steer clear of allowing the user to write SQL clauses directly. This is the source of SQL Injection vulnerabilities.

    If you need the query to be flexible, try parsing the user’s input and adding the appropriate where clause.

    Here is some C# code to show the general idea

    // from user input string user_column = 'ItemID'; string user_value = '3';  string sql = 'SELECT INVITEM.CharId AS CharId, INVITEM.ItemId AS ItemId FROM (INVITEM as INVITEM INNER JOIN SHOPITEM AS SHOPITEM ON SHOPITEM.ItemId = INVITEM.ItemId) ';  if (user_column == 'ItemID') {     // using Int32.Parse here to prevent rubbish like '0 OR 1=1; --' being entered.     sql += string.Format('WHERE INVITEM.ItemID={0}',Int32.Parse(user_value)); }

    Obviously if you’re dealing with more than one clause, you’d have to substitute AND for WHERE in subsequent clauses.

    • 0