Alternative method to provide dynamic arguments into sql query #28

szumielxd · 2024-07-17T23:16:51Z

szumielxd commented

2024-07-17 23:16:51 +00:00

First-time contributor

Sometimes you want to create a query with dynamic content. For now, you're limited to using unsafe keyword, but as name states it isn't safe.
So... Here's simple idea to provide query arguments directly as object array. Maybe not 100% foolproof, but in my opinion much better option than self-made sanitization of input.

Some examples:

Select specific column

execute unsafe "SELECT uuid, name, %{_columnName}% FROM stats WHERE displayname = ? LIMIT ?" in {-sql} with arguments {_displayName} and {_count} and store result in {_result::*}

Bulk update

loop all players:
    add "(?, ?, ?)" to {_valuesString::*}
    add uuid of player to {_values::*}
    add name of player to {_values::*}
    add rounded unix timestamp of now to {_values::*}
if size of {_valuesString::*} is bigger than 0:
    execute unsafe "INSERT INTO players (uuid,name,lastjoin) VALUES %join {_valuesString::*} by ", "% ON DUPLICATE KEY UPDATE name=VALUES(name), lastjoin=VALUES(lastjoin)" in {-sql} with arguments {_values::*}

Sometimes you want to create a query with dynamic content. For now, you're limited to using `unsafe` keyword, but as name states it isn't safe. So... Here's simple idea to provide query arguments directly as object array. Maybe not 100% foolproof, but in my opinion much better option than self-made sanitization of input. Some examples: - Select specific column ``` execute unsafe "SELECT uuid, name, %{_columnName}% FROM stats WHERE displayname = ? LIMIT ?" in {-sql} with arguments {_displayName} and {_count} and store result in {_result::*} ``` - Bulk update ``` loop all players: add "(?, ?, ?)" to {_valuesString::*} add uuid of player to {_values::*} add name of player to {_values::*} add rounded unix timestamp of now to {_values::*} if size of {_valuesString::*} is bigger than 0: execute unsafe "INSERT INTO players (uuid,name,lastjoin) VALUES %join {_valuesString::*} by ", "% ON DUPLICATE KEY UPDATE name=VALUES(name), lastjoin=VALUES(lastjoin)" in {-sql} with arguments {_values::*} ```

szumielxd added 3 commits 2024-07-17 23:16:52 +00:00

Added missing Skript repository 4de7dff0ad

Ignore Eclipse internal files 52d111dbfa

Added option to provide PreparedStatement-like query argument binding 110f3982ad

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions.