-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for 'for' (loop) command in the SQL parser. #2
Comments
Thanks for your request. Yes, I understand a necessity for
What does it mean? I think it's safe to give the array which has one element to If there are any cases which cause SQL injection with |
An array with more than one element is the problem. I think last time I've tried, with a Prepared Statement was possible to bind only one parameter, not a "variable sized one", i.e. where something IN (?) So since Mirage allows to "bind an array", it must concatenate the elements, and since it doesn't seems to use |
Yes, so Mirage expands array binding to the multiple placeholder. where something IN /*array*/ to where something IN (?, ?, ...) See #1 (comment) to know how to bind array as |
Any news on the "loop" command support? |
I subscribe to @hansgru 's request. A "for" loop would simplify quite a few scenarios. tnx |
+1 |
Please add support for the "for" command in the SQL parser.
E.g. Something like below might be a possibility:
Of course, one option might be for the above example to use
IN
with arrays, but because it's bound to only one parameter this is open to SQL Injection, so in this case the Prepared Statement doesn't bring too much advantage and security.(besides there are many more cases where it's simply not possible to reformulate the statement to make use of
IN
with arrays).Thank you very much.
The text was updated successfully, but these errors were encountered: