dbPrepareString
Client-side
Server-side
Shared
This function escapes arguments in the same way as dbQuery, except dbPrepareString returns the query string instead of processing the query. This allows you to safely build complex query strings from component parts and help prevent (one class of) SQL injection.
OOP Syntax Help! I don't understand this!
- Method:db-connection:prepareString(...)
Syntax
string|false dbPrepareString ( element db-connection, string query, var param1 [, var param2 ...] )Required Arguments
- db-connection: A database connection element previously returned from dbConnect.
- query: An SQL query. Positions where parameter values will be inserted are marked with a
?. - param1 [, var param2 ...]: A variable number of parameters. These must be strings or numbers - it is important to make sure they are of the correct type. Also, the number of parameters passed must be equal to the number of
?characters in the query string.String parameters are automatically quoted and escaped as required. (If you do not want a string quoted, use
??). Make sure that numbers are in number format as a string number is treated differently.
Returns
- string|false: query string
Returns a prepare SQL query string, or false if an error occurred.
Code Examples
server
This example shows how to safely build a dynamic SELECT query.
local serialsToUse = {"111", "222", "333"}
local queryString = dbPrepareString(connection, "SELECT * FROM `player_info` WHERE true")for _, serial in ipairs(serialsToUse) do queryString = queryString ..dbPrepareString(connection, " AND `serial`=?", serial)end
local handle = dbQuery(connection, queryString)