Search Postgresql Archives

Dynamic SQL in Lua

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The PostgreSQL Lua binding found on https://github.com/mbalmer/luapgsql
has been extended to make it a bit easier to create SQL commands
dynamically and still be able to use execParams().

Imagine a table with user information that contains usernames,
hostnames, locations (e.g. building a user works in) and more data.  In
a web application, a HTML form field could be set to a location name or
'all', indicating that we want information for all locations.

The simple approach would then be to create the SQL on the fly and pass
it to the db:exec() function:

sql = {
	string.format('select * from userinfo where name = '%s' and host = %s',
name, host }
}

if location ~= 'all' then
	sql[#sql + 1] = string.format(' and location = '%s', location)
end

sql = table.concat(sql, '\n')
db:exec(sql)

Constructing SQL this way is bad thing (SQL injection...), so
db:execParams() is what should be used.  As it is now possible to pass
tables as parameter values to the db:execParams() function, this can now
be done in a halway sane form by using a table for the parameters and
creating the placeholders ('$1', '$2' etc.) based on the current size of
the parameter array:

p = { 'mbalmer', 'localhost' } -- parameter array

sql = { 'select * from userinfo where name = $1 and host = $2' }

if location ~= 'all' then
	p[#p + 1] = location
	sql[#sql + 1] = string.format(' and location = $%d', #p)
end

sql = table.concat(sql, '\n')
db:execParams(sql, p)


-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux