Comments on: SQL queries with varidic argument lists http://www.rakkar.org/blog/?p=360 Trials of a game developer Tue, 20 Jul 2010 22:23:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Oliver Smith http://www.rakkar.org/blog/?p=360&cpage=1#comment-14916 Oliver Smith Mon, 25 Aug 2008 17:50:20 +0000 http://www.rakkar.org/blog/?p=360#comment-14916 e.g. from the Perl <a href='http://search.cpan.org/~timb/DBI-1.607/DBI.pm' rel="nofollow">DBI man page</a>: <b>Placeholders and Bind Values</b> Some drivers support placeholders and bind values. Placeholders, also called parameter markers, are used to indicate values in a database statement that will be supplied later, before the prepared statement is executed. For example, an application might use the following to insert a row of data into the SALES table: INSERT INTO sales (product_code, qty, price) VALUES (?, ?, ?) or the following, to select the description for a product: SELECT description FROM products WHERE product_code = ? The "?" characters are the placeholders. The association of actual values with placeholders is known as binding, and the values are referred to as bind values. Note that the "?" is not enclosed in quotation marks, even when the placeholder represents a string. e.g. from the Perl DBI man page:

Placeholders and Bind Values

Some drivers support placeholders and bind values. Placeholders, also
called parameter markers, are used to indicate values in a database
statement that will be supplied later, before the prepared statement is
executed. For example, an application might use the following to
insert a row of data into the SALES table:

INSERT INTO sales (product_code, qty, price) VALUES (?, ?, ?)

or the following, to select the description for a product:

SELECT description FROM products WHERE product_code = ?

The “?” characters are the placeholders. The association of actual
values with placeholders is known as binding, and the values are
referred to as bind values. Note that the “?” is not enclosed in
quotation marks, even when the placeholder represents a string.

]]> By: Oliver Smith http://www.rakkar.org/blog/?p=360&cpage=1#comment-14914 Oliver Smith Mon, 25 Aug 2008 17:40:03 +0000 http://www.rakkar.org/blog/?p=360#comment-14914 Isn't %c the "single character" mask? I haven't used PG in a long time, but normally you "prepare" the query; the standard interface is usually something like this: db = databaseConnection() ; sth = prepareStatement("INSERT INTO table (xval, yval, strval, dataval) VALUES (?, ?, ?, ?)") ; db->execute(sth, arg1, arg2, arg3, arg4) ; It's always preferable to try and avoid passing data to the SQL parser even if for no reason other than it's more efficient to pass it a placeholder/token instead of your data in terms of time it takes to process. Isn’t %c the “single character” mask?

I haven’t used PG in a long time, but normally you “prepare” the query; the standard interface is usually something like this:

db = databaseConnection() ;
sth = prepareStatement(“INSERT INTO table (xval, yval, strval, dataval) VALUES (?, ?, ?, ?)”) ;
db->execute(sth, arg1, arg2, arg3, arg4) ;

It’s always preferable to try and avoid passing data to the SQL parser even if for no reason other than it’s more efficient to pass it a placeholder/token instead of your data in terms of time it takes to process.

]]>