From 7fedb66adb216ce4891e3645d773e5ce3fc71a49 Mon Sep 17 00:00:00 2001 From: Arnaud Benhamdine Date: Tue, 13 Sep 2016 11:09:54 +0200 Subject: [PATCH] Explain how to pass an array of parameters to a WHERE col IN() clause --- ...terized-queries-and-Prepared-Statements.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) rename Prepared-Statements.md => Parameterized-queries-and-Prepared-Statements.md (84%) diff --git a/Prepared-Statements.md b/Parameterized-queries-and-Prepared-Statements.md similarity index 84% rename from Prepared-Statements.md rename to Parameterized-queries-and-Prepared-Statements.md index b5bfd95..1fd5ad9 100644 --- a/Prepared-Statements.md +++ b/Parameterized-queries-and-Prepared-Statements.md @@ -22,6 +22,38 @@ Parameters may not be DDL: Parameterized queries in postgres are parsed, analyzed, rewritten, and planned before each execution, so they provide safety but not speed. +#### Parameters for clause WHERE ... IN () #### + +If you want to securize a query like this : +```sql +SELECT * FROM table WHERE id IN (1,2,3) +``` +you CAN'T pass an array of values as an unique parameter : +```js +client.query('SELECT * FROM table WHERE id = $1', [id1, id2, id3]) +``` +or you will get this error : +`"invalid input syntax for integer"` + +You have to generate a list of parameters, in aim to get the following parameterized query : +``` +client.query('SELECT * FROM table WHERE id IN ($1, $2, $3)', [id1, id2, id3]) +```` +You can do this with : +```js +arr.map(function(item, idx) {return '$' + (idx+1);}); +``` +or you can use the ANY command and cast the id as wanted : +`SELECT * FROM table WHERE id = ANY($1::int[])` + +With the ANY clause, you can pass an array : +```javascript +client.query('SELECT * FROM table WHERE id = ANY($1::int[]'), [id1, id2, id3]) +``` +You can cast the IDs to match the type of the column, for example, you'd write $1::uuid[] to coerce the argument to an array of UUIDs. + +#### Parameters and ES6 Template strings #### + With tagged template string literals introduced in ECMAScript 6, parameterized queries can be written more easily with a simple tag function: ```javascript