Using parameters in statements
Using SQL statement parameters allows you to create a reusable SQL statement.
When you use statement parameters, values within the statement can change (such
as values being added in an INSERT statement) but the basic statement text
remains unchanged. Consequently, using parameters provides performance benefits
and makes it easier to code an application.
Understanding statement parameters
Frequently an application uses a single SQL statement multiple times in an
application, with slight variation. For example, consider an inventory-tracking
application where a user can add new inventory items to the database. The
application code that adds an inventory item to the database executes a SQL
INSERT statement that actually adds the data to the database. However, each
time the statement is executed there is a slight variation. Specifically, the
actual values that are inserted in the table are different because they are
specific to the inventory item being added.
In cases where you have a SQL statement that's used multiple times with
different values in the statement, the best approach is to use a SQL statement
that includes parameters rather than literal values in the SQL text. A parameter
is a placeholder in the statement text that is replaced with an actual value
each time the statement is executed. To use parameters in a SQL statement, you
create the
SQLStatement
instance as usual. For the actual SQL statement assigned to the text property,
use parameter placeholders rather than literal values. You then define the value
for each parameter by setting the value of an element in the SQLStatement
instance's parameters property. The parameters property is an associative
array, so you set a particular value using the following syntax:
statement.parameters[parameter_identifier] = value;
The parameter_identifier is a string if you're using a named parameter, or an integer index if you're using an unnamed parameter.
Using named parameters
A parameter can be a named parameter. A named parameter has a specific name that the database uses to match the parameter value to its placeholder location in the statement text. A parameter name consists of the ":" or "@" character followed by a name, as in the following examples:
:itemName
@firstName
The following code listing demonstrates the use of named parameters:
var sql:String =
"INSERT INTO inventoryItems (name, productCode)" +
"VALUES (:name, :productCode)";
var addItemStmt:SQLStatement = new SQLStatement();
addItemStmt.sqlConnection = conn;
addItemStmt.text = sql;
// set parameter values
addItemStmt.parameters[":name"] = "Item name";
addItemStmt.parameters[":productCode"] = "12345";
addItemStmt.execute();
Using unnamed parameters
As an alternative to using named parameters, you can also use unnamed parameters. To use an unnamed parameter you denote a parameter in a SQL statement using a "?" character. Each parameter is assigned a numeric index, according to the order of the parameters in the statement, starting with index 0 for the first parameter. The following example demonstrates a version of the previous example, using unnamed parameters:
var sql:String =
"INSERT INTO inventoryItems (name, productCode)" +
"VALUES (?, ?)";
var addItemStmt:SQLStatement = new SQLStatement();
addItemStmt.sqlConnection = conn;
addItemStmt.text = sql;
// set parameter values
addItemStmt.parameters[0] = "Item name";
addItemStmt.parameters[1] = "12345";
addItemStmt.execute();
Benefits of using parameters
Using parameters in a SQL statement provides several benefits:
Better performance
A SQLStatement instance that uses parameters can execute more efficiently
compared to one that dynamically creates the SQL text each time it executes. The
performance improvement is because the statement is prepared a single time and
can then be executed multiple times using different parameter values, without
needing to recompile the SQL statement.
Explicit data typing
Parameters are used to allow for typed substitution of values that are unknown
at the time the SQL statement is constructed. The use of parameters is the only
way to guarantee the storage class for a value passed in to the database. When
parameters are not used, the runtime attempts to convert all values from their
text representation to a storage class based on the associated column's type
affinity.
For more information on storage classes and column affinity, see Data type support.
Greater security
The use of parameters helps prevent a malicious technique known as a SQL
injection attack. In a SQL injection attack, a user enters SQL code in a
user-accessible location (for example, a data entry field). If application code
constructs a SQL statement by directly concatenating user input into the SQL
text, the user-entered SQL code is executed against the database. The following
listing shows an example of concatenating user input into SQL text. Do not use
this technique :
// assume the variables "username" and "password"
// contain user-entered data
var sql:String =
"SELECT userId " +
"FROM users " +
"WHERE username = '" + username + "' " +
" AND password = '" + password + "'";
var statement:SQLStatement = new SQLStatement();
statement.text = sql;
Using statement parameters instead of concatenating user-entered values into a statement's text prevents a SQL injection attack. SQL injection can't happen because the parameter values are treated explicitly as substituted values, rather than becoming part of the literal statement text. The following is the recommended alternative to the previous listing:
// assume the variables "username" and "password"
// contain user-entered data
var sql:String =
"SELECT userId " +
"FROM users " +
"WHERE username = :username " +
" AND password = :password";
var statement:SQLStatement = new SQLStatement();
statement.text = sql;
// set parameter values
statement.parameters[":username"] = username;
statement.parameters[":password"] = password;