Method Description
PgsqlConnection.execParams()
Execute parameterized SQL on an open database, returning a result object
See Also
PgsqlConnection PgsqlResult
Syntax
PgsqlResult = PgsqlConnection.execParams(sql, ...)
Parameters
The 'PgsqlConnection.execParams' method takes 2 parameters:
Name | Type/Value | Range/Length | Description | sql | string | | Required. A single SQL statements with parameter substitutions of the form $n | ... | value | | Optional. Set of one or more values to be sent to the database server for parameter substitution into parameter one's SQL |
Results
The 'PgsqlConnection.execParams' method returns PgsqlResult:
Type/Value | Range/Length | Description |
PgsqlResult |
  |
A 'PgsqlResult' object that can be used to extract the results of the SQL operation
|
Remarks Run a SQL statements against an open SQL database. Whereas connection.exec takes a single SQL
string to execute, connection.execParams takes a SQL statement with in-place substitution markers
of the form '$n' where 'n' is a place marker starting from 1. When the SQL is executed the parameter markers are each replaced with a parameter from the
execParams list. As a simple example consider : res=conn.execParams("SELECT * FROM table WHERE name=$1","yellowhawk"); In this case the SQL actually executed by the database will be : SELECT * FROM table WHERE name='yellowhawk' There are several advantages of this method over conn.exec : - Efficiency : the amount of string manipulation required is minimized, especially important
where the parameters might be large binary objects that have to be escaped
- Safety : Building SQL statements from parameters passed from web browsers can leave
the application open to
SQL injection attacks.
Great care must be taken to correctly escape all parameters. Using
execParams avoids this issue completely by never considering parameters as containing
SQL.
Recommendation : wherever possible execParams should be used in preference
to exec. If the database is not open (no call to connect
or the call failed) then this method will throw a catachable exception. |