您不能参数化标识符.您只能参数化 data .否则，参数化的要点，即语句结构和 data 之间的分离是没有意义的.理解参数化不仅仅是花哨的复制和粘贴，它是一种确保数据库在 static 部分(它将从中获取指令)和之间清晰区分的技术.动态部分(将其视为数据和仅数据).

You cannot parameterize identifiers. You can only parameterize data. Otherwise the main point of parameterization, the separation between statement structure and data, is pretty moot. Understand that parameterization is not just fancy copy-and-paste, it's a technique to make sure the database has a clear separation between the static parts (which it will take its instructions from) and the dynamic parts (which it will treat as data and data only).

我个人并不真正理解为什么每个人都试图尽量减少SQL并且不想编写任何内容.在实际的应用程序中，应用程序将发送到数据库的个定义的，有限的个SQL查询.将有一个查询以用户名查找用户，一个查询以计算bar表中的foo数量，等等.等等.写这些查询一次，很方便.在某处具有方法findUserByName()，该方法包含查询以按SQL写出的名称查找用户.您无需将每个查询动态地拼凑在一起，只需要编写一次即可.这也为您提供了所有可能的数据库交互的良好清单"，并允许在必要时进行手动操作. </rant>

Personally I don't really understand why everyone tries to minimize SQL as much as possible and doesn't want to write any. In a real world application there are a defined, finite number of SQL queries that an application will send to the database. There's going to be one query to find a user by username, one to calculate the number of foos in the bar table etc. etc. Write those queries once, long-hand. Have a method findUserByName() somewhere which contains the query to find a user by name written out in SQL. You don't need to dynamically cobble together every single query, you just need to write it once. That also gives you a good "inventory" of all the possible database interaction and allows hand-tweaking where necessary. </rant>

因此，和都不可能被误导.

So, it's both not possible and misguided.