Passing parameters to a query

edit

Passing parameters to a query

edit

Using values in a query condition, for example, or in a HAVING statement can be done "inline", by integrating the value in the query string itself:

response = client.sql.query(
  format: 'txt',
  body: {
    query: "SELECT YEAR(release_date) AS year FROM library WHERE page_count > 300 AND author = 'Frank Herbert' GROUP BY year HAVING COUNT(*) > 0"
  }
)
puts response
POST /_sql?format=txt
{
	"query": "SELECT YEAR(release_date) AS year FROM library WHERE page_count > 300 AND author = 'Frank Herbert' GROUP BY year HAVING COUNT(*) > 0"
}

or it can be done by extracting the values in a separate list of parameters and using question mark placeholders (?) in the query string:

response = client.sql.query(
  format: 'txt',
  body: {
    query: 'SELECT YEAR(release_date) AS year FROM library WHERE page_count > ? AND author = ? GROUP BY year HAVING COUNT(*) > ?',
    params: [
      300,
      'Frank Herbert',
      0
    ]
  }
)
puts response
POST /_sql?format=txt
{
	"query": "SELECT YEAR(release_date) AS year FROM library WHERE page_count > ? AND author = ? GROUP BY year HAVING COUNT(*) > ?",
	"params": [300, "Frank Herbert", 0]
}

The recommended way of passing values to a query is with question mark placeholders, to avoid any attempts of hacking or SQL injection.