prepared statement with labkey SQL?: /home/Support/LabKey Support Forum

prepared statement with labkey SQL?

LabKey Support Forum (Inactive)

View Message

prepared statement with labkey SQL?

kleemann

2011-08-29 16:09

Status: Closed

I'm code reviewing some javascript that constructs SQL and passes it to labkey server via new LABKEY.ext.Store({ sql: "SELECT ..."}) as well as other APIs. Various string values are simply concatenated into a SQL string which is error prone and can possibly be a security problem.

Is there a way to construct a prepared statement in labkey SQL such as passing an object instead of a string. e.g.

var first_name = "Ted"
var age = 30
var s=new LABKEY.ext.Store({ sql:{ sql:"SELECT first_name,last_name FROM person WHERE first_name=? AND AGE<?", arg1:first_name, arg2:age }})

instead of

var first_name = "Ted"
var age = 30
var s = new LABKEY.ext.Store({ sql:"SELECT first_name,last_name FROM person WHERE first_name='" + first_name + "' AND AGE<" + age })

If not, is there an easy way to SQL quote the arguments based on javascript type?

Robert.

Ben Bimber responded:	2011-08-29 16:22
hi robert, since read security is controlled on the server independent of the SQL statement, and since labkey SQL can't update/delete I think the security concern is that high. however, if you above example is really that straightforward, i think you probably want to do this using filters, not by writing a SQL statement. it would be roughly like: LABKEY.ext.Store({ queryName: 'person', schemaName: 'yourSchemaName', filterArray: [ LABKEY.Filter.create('firstname', firstName, LABKEY.Filter.Types.EQUAL), LABKEY.Filter.create('age', age, LABKEY.Filter.Types.GREATER_THAN_OR_EQUAL) ] that's off memory, so there's probably typos.