dbPrepareString
Client-side
Server-side
Shared
Manual Review Required
Please finish this page using the corresponding Old Wiki article. Go to Contribution guidelines for more information.
This function escapes arguments in the same way as dbQuery, except dbPrepareString returns the query string instead of processing the query. This allows you to safely build complex query strings from component parts and help prevent (one class of) SQL injection.
OOP Syntax Help! I don't understand this!
- Method: connection:prepareString(...)
Syntax
string dbPrepareString ( element databaseConnection, string query, var param1 [, var param2 ...] )Required Arguments
- databaseConnection: A database connection element previously returned from dbConnect
- query: An SQL query. Positions where parameter values will be inserted are marked with a ?
- param1 [, var param2 ...]: MISSING_PARAM_DESC
Returns
- string: value
Returns a prepare SQL query string, or false if an error occurred.
Code Examples
shared
This example shows how to safely build a dynamic SELECT query
serialsToUse = { "111", "222", "333" }
local queryString = dbPrepareString( connection, "SELECT * FROM `player_info` WHERE true" )for _,serial in ipairs(serialsToUse) do queryString = queryString .. dbPrepareString( connection, " AND `serial`=?", serial )endlocal handle = dbQuery( connection, queryString )