2

I don't like relying on positional parameters, is it possible to do so with HDBC?

I could see passing [(String, SqlValue)] instead of [SqlValue] as arguments to the various executing functions of this package.

In a nutshell, I'd rather

select 
  t.f1
  , t.f2
  , t.f3
from
  schema.table t
where
 t.f1 > @param1
 and t.f2 < @param2

than

select 
  t.f1
  , t.f2
  , t.f3
from
  schema.table t
where
 t.f1 > ?
 and t.f2 < ?
smoothdeveloper
  • 1,972
  • 18
  • 19

1 Answers1

1

Not with hdbc directly but i do it with the help of the shakespeare-text package:

quickQuery cn (T.unpack
                 [st|select bar, baz, foo
                       from table1 r
                      inner join location l on r.locat_id = l.location_id
                      where r.record_id = #{pageIdxId page}
                        and foo > #{var1 + var2}
                      order by 1|]) []

Notice haskell variables and expressions in #{} placeholders.

be careful with string splicing though.

use sql escaping function with string values. 

sqlEscape :: Text -> Text
sqlEscape = T.replace "'" "''"

then 

[st|update foo set bar = '#{sqlEscape someString}' where recid = #{myRecId}|]

Or if you are up to the task, you can take the shakespeare-text library and add a small change to it to automatically escape all isString types.

Vagif Verdi
  • 4,816
  • 1
  • 26
  • 31
  • Thanks, that is an approach I didn't envision; I currently do it this way declare (at)param1 type declare (at)param2 type set (at)param1 = ? set (at)param2 = ? ... rest of the statement Issue with string interpolation is handling potential sql injections, with bound parameters I know I'm safe (as long as there is no dynamic sql generated under the hood) – smoothdeveloper Oct 15 '13 at 20:23
  • be careful using hdbc placeholderes for updating/inserting. They have a nasty bug. They add an extra space at the end of the value. I fixed the bug on github https://github.com/hdbc/hdbc-odbc/pull/10 but it is still not accepted to main repository – Vagif Verdi Oct 15 '13 at 20:57