DbPrepareString: Difference between revisions

From Multi Theft Auto: Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
__NOTOC__
__NOTOC__
{{Server function}}
{{Server function}}
{{New items|3.0152|1.5.2|
{{New items|3.0162|1.5.2|
This function "prepares" an SQL query string, returning a string that can be used in other SQL functions. This is useful if you need to reuse queries multiple times, but also need arguments to be escaped. This is helpful in preventing (one class of) SQL injection.
This function escapes arguments in the same way as [[dbQuery]], except dbPrepareString returns the query string instead of processing the query. This allows you to safely build complex query strings from component parts and help prevent (one class of) SQL injection.}}
}}


==Syntax==  
==Syntax==  
Line 22: Line 21:


==Example==
==Example==
{{Example}}
<section name="Serverside" class="server" show="true">
This example shows how to safely build a dynamic SELECT query
<syntaxhighlight lang="lua">
serialsToUse = { "111", "222", "333" }
 
local queryString = dbPrepareString( connection, "SELECT * FROM `player_info` WHERE true" )
for _,serial in ipairs(serialsToUse) do
    queryString = queryString .. dbPrepareString( connection, " AND `serial`=?", serial )
end
local handle = dbQuery( connection, queryString )
</syntaxhighlight>
</section>
 
==Requirements==
{{Requirements|1.5.2|n/a}}


==See Also==
==See Also==
{{SQL_functions}}
{{SQL_functions}}

Revision as of 09:31, 26 January 2016

ADDED/UPDATED IN VERSION 1.5.2 :
This function escapes arguments in the same way as dbQuery, except dbPrepareString returns the query string instead of processing the query. This allows you to safely build complex query strings from component parts and help prevent (one class of) SQL injection.

Syntax

string dbPrepareString ( element databaseConnection, string query [, var param1 [, var param2 ...]] )

OOP Syntax Help! I don't understand this!

Method: connection:prepareString(...)


Required Arguments

  • databaseConnection: A database connection element previously returned from dbConnect
  • query: An SQL query. Positions where parameter values will be inserted are marked with a ?

Optional Arguments

  • paramX: A variable number of parameters. These must be strings or numbers - it is important to make sure they are of the correct type. Also, the number of parameters passed must be equal to the number of ? characters in the query string.

String parameters are automatically quoted and escaped as required. (If you do not want a string quoted, use ??)

Returns

Returns a prepare SQL query string, or false if an error occurred.

Example

Click to collapse [-]
Serverside

This example shows how to safely build a dynamic SELECT query 

serialsToUse = { "111", "222", "333" }

local queryString = dbPrepareString( connection, "SELECT * FROM `player_info` WHERE true" )
for _,serial in ipairs(serialsToUse) do
    queryString = queryString .. dbPrepareString( connection, " AND `serial`=?", serial )
end
local handle = dbQuery( connection, queryString )

Requirements

Minimum server version 1.5.2
Minimum client version n/a

Note: Using this feature requires the resource to have the above minimum version declared in the meta.xml <min_mta_version> section. e.g. <min_mta_version server="1.5.2" />

See Also


Retrieved from "https://wiki.multitheftauto.com/wiki/DbPrepareString?oldid=46468"