Closed Blaumaus closed 2 years ago
Hello @Blaumaus!
Thanks for your interest in this library.
As of 1.0.11 version, it's not possible to use prepared statements. I already have an implementation on this, but needs some more testing. I'll be adding them as separate query
and insert
methods something like queryPrepared
and insertPrepared
. Prepared statements requires parameter names and data types. I'm trying to figure out how we can achieve such functionality efficiently using javascript objects. SELECT's are not that much of a problem, but we must think how we will handle multiple inserts with prepared statements. It would be awesome, if you have any thought on it.
^ Note: Even though they say that prepared statements are only implemented for selects, there's an issue from 2019 which means the opposite. Maybe we should use prepared statements only for selects. I'm not sure.
With insert
method & JSON
format, we're using JSONEachRow
format to send insert values to clickhouse server. As far as i know unless we use -Raw
formats, clickhouse already does necessary escaping actions. I am still in search to find the correct answer to this.
^ Please also see this discussion.
Hello! I love the library and the simplicity of it.
Is it possible to use prepared statements via this client?
Please correct me if I'm wrong, but as I see, you're currently mapping the provided parameters to insert, which probably may be vulnerable to SQL Injection attacks. The prepared statements insertion should prevent it. Is it planned to add this feature into the next releases of this library?