Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

luasql.mysql Why is there no prepare? #94

Open
2731381914 opened this issue Aug 8, 2018 · 8 comments
Open

luasql.mysql Why is there no prepare? #94

2731381914 opened this issue Aug 8, 2018 · 8 comments

Comments

@2731381914
Copy link

I looked through the documentation and found that no conn:prepare(select * from table where id=?) was provided. Why? What should I do about SQL injection.
@tomasguisasola
Copy link
Contributor

tomasguisasola commented Aug 9, 2018 via email

@blumf
Copy link
Contributor

blumf commented Aug 9, 2018

I've implemented prepared statements and parametrised queries for ODBC and Firebird.
Had a look at MySQL but have no experience with that API.

@tomasguisasola
Copy link
Contributor

tomasguisasola commented Aug 9, 2018 via email

@blumf
Copy link
Contributor

blumf commented Aug 10, 2018

It's a bit awkward, the changes are in the middle of a bunch of other features and refactoring.
I'll have a try at making a clean patch against the LuaSQL master branch and send a pull-req in a while.

You basically end up being able to do the following:

sql  = "INSERT INTO FOO(COL1,COL2) VALUES(?,?)"

stmt = conn:prepare(sql)
stmt:execute{123, "abc"}

-- also, directly

conn:execute(sql, {321,"xyz"})

@blumf
Copy link
Contributor

blumf commented Aug 10, 2018

Okay, check out the #95 PR (I wouldn't recommend actually pulling it as-is)
Contains a patch to the ODBC driver supporting parametrized queries.

Bit of a mess to look at the diff as so many bits and pieces have been altered, but the overall concept is pretty straight forward.

@fcr--
Copy link

fcr-- commented Nov 23, 2018

@blumf, @tomasguisasola: I've added a simpler interface in the PR #99, even though it doesn't yet support reuse of prepared statements, it could in the future. Example:

local sql = "SELECT * FROM passwords WHERE user=? and pass=?"
local cur = conn:execute(sql, user, pass)
...

The issue with passing the arguments in a table is that you could have {1, 2, nil} never knowing that it had 3 and not 2 values, which would trigger the invalid paramater count error on some databases. With arguments it's different since you could unpack an exact number of parameters by using: conn:execute(sql, table.unpack(myvalues, 1, 3)); or even conn:execute(sql, 1, 2, nil); and still be able to obtain the exact parameter count by using select('#', ...) in lua (if you ever need a proxy) or lua_gettop in C.

@andyvanee
Copy link

I am curious about this too. I am looking at lsqlite3 as well, but LuaSQL seems to have a more familiar interface to me. I would like to see prepared statements though :)

Perhaps something like the following interface would be possible?

-- Bind with named parameters
local statement = conn:prepare('SELECT * FROM mytable WHERE id = :id')
local cur = statement:execute({id = 1})

-- Bind with values
local statement = conn:prepare('SELECT * FROM mytable WHERE name = ?')
local cur = statement:execute({"example"})

There are a few more parameter types that sqlite allows, but these two cover the common cases that I've seen.

I've reviewed #100, which seems to address ? parameters, but is there any plan to support named parameters as well? Thanks!

lsqlite3 docs
lsqlite3 usage example

@Leos-Khai
Copy link

was prepare statements implemented? i dont know where to get the dll where luasql.mysql has parameter support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@blumf @tomasguisasola @andyvanee @fcr-- @2731381914 @Leos-Khai