Method Description

PgsqlConnection.execParamsArray()

Execute parameterized SQL on an open database, returning a result object

See Also

Syntax

PgsqlResult = PgsqlConnection.execParamsArray(sql, parameters)

Parameters

The 'PgsqlConnection.execParamsArray' method takes 2 parameters:

Results

The 'PgsqlConnection.execParamsArray' method returns PgsqlResult:

Remarks

This method is similar to execParams except that the parameters to the SQL statement are presented as a single JavaScript parameter which must be an array.

Run a SQL statements against an open SQL database. Whereas connection.exec takes a single SQL string to execute, connection.execParamsArray takes a SQL statement with in-place substitution markers of the form '$n' where 'n' is a place marker starting from 1.

When the SQL is executed the parameter markers are each replaced with a parameter from the 'parameters' list.

As a simple example consider :

res=conn.execParamsArray("SELECT * FROM table WHERE name=$1",["yellowhawk"]);

In this case the SQL actually executed by the database will be :

SELECT * FROM table WHERE name='yellowhawk'

There are several advantages of this method over conn.exec :

1. Efficiency : the amount of string manipulation required is minimized, especially important where the parameters might be large binary objects that have to be escaped
2. Safety : Building SQL statements from parameters passed from web browsers can leave the application open to SQL injection attacks. Great care must be taken to correctly escape all parameters. Using execParams avoids this issue completely by never considering parameters as containing SQL.

Recommendation : wherever possible execParams should be used in preference to exec.

If the database is not open (no call to connect or the call failed) then this method will throw a catachable exception.