cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Choose Language Hide Translation Bar

Provide a mechanism for parameterized SQL queries

Status: New Submitted by on ‎11-03-2021 01:11 PM
1 Comment (1 New)

ODBC libraries typically provide the ability to create parameterized queries that pass the query and parameters to the database separately.  This basically eliminates the risk of SQL injection attacks, but is also very convenient from a programming standpoint.  Because JMP has ODBC queries, it should also have parameterized queries so that you can do:

 

Execute SQL(database, 
    "Select * from Employees where Name like ? and Status=?",
    "BobList", 
    {"Bob", "Active"}
);

pyodbc's parameterized queries:

https://github.com/mkleehammer/pyodbc/wiki/Getting-started#parameters

 

The .NET ecosystem's parameterized queries:

https://docs.microsoft.com/en-us/dotnet/api/system.data.odbc.odbccommand.parameters?redirectedfrom=M...

 

1 Comment
KevinKirspel
Level I
‎10-10-2024 10:02 AM
‎10-10-2024 10:02 AM

I think you could implement this using named queries: Create Named Query() and Execute Named Query().  Under the hood, these functions would use the ODBC SQLPrepare(), SQLBindParameter(), and SQLExecute() functions.  The Create Named Query() function would take the SQL statement and parameters.  It would return a named query object.  The Execute Named Query() would take the database connection object, the named query object, and the parameter values as inputs and return the SQL results as a data table (if needed).  The database connection object could be an input of the create function instead of the execute function.  The benefit of this approach is that the creation can happen at script initialization leaving the executing piece separate which will probably be more efficient.