A parameterized query is a type of database query that contains one or more parameter placeholders (for example, $location) for input data.
Parameterized queries for InfluxDB v3 help developers reuse existing queries and prevent SQL injection attacks by separating query statements from input data.
Application code that receives user input, such as column names or conditional expressions, to customize a query can assign user input values to named parameter placeholders (for example, $min_price) in the query.
Using an InfluxDB v3 client that supports parameterized queries, the application sends the following in a query request to InfluxDB:
the query: select price > $min_price from stocks
the parameter-value pairs :{"min_price": 20.00}
During query execution, The InfluxDB v3 Querier processes query statements separately from the parameter-value pairs, and then replaces parameter placeholders in the query with the specified values. This separation of query structure from the input data helps prevent SQL injection attacks by ensuring that data is never treated as executable code.
Supported data types
A parameter value can be one of the following data types:
null
boolean
u_int64
int64
float64
string
1.1 Parameterized Query Example using and SQL
The following excerpt shows how to use a parameterized SQL query with InfluxDB v3 and the influxdb3-go client :
// Define a query that contains placeholders (syntax: $placeholder) for variable values.
// The following SQL query contains a $room placeholder.
query := `
SELECT * FROM home
WHERE time >= now() - INTERVAL '7 days'
AND room = $room`
// Define a QueryParameters map that assigns placeholder keys to substitution values.
parameters := influxdb3.QueryParameters{
"room": "Kitchen",
}
// Call the QueryWithParameters function to send the query and parameters, and retrieve the result.
iterator, err := client.QueryWithParameters(context.Background(), query, parameters)
Status:
Tested in Serverless, cloud2.
In SQL, I haven't been able to use parameters for interval data types or within INTERVAL literals or for integers in timestamp conditions. See examples. Waiting to hear more from @erratic-pattern.
A parameterized query is a type of database query that contains one or more parameter placeholders (for example,
$location) for input data. Parameterized queries for InfluxDB v3 help developers reuse existing queries and prevent SQL injection attacks by separating query statements from input data.Application code that receives user input, such as column names or conditional expressions, to customize a query can assign user input values to named parameter placeholders (for example,
$min_price) in the query. Using an InfluxDB v3 client that supports parameterized queries, the application sends the following in a query request to InfluxDB:select price > $min_price from stocks{"min_price": 20.00}During query execution, The InfluxDB v3 Querier processes query statements separately from the parameter-value pairs, and then replaces parameter placeholders in the query with the specified values. This separation of query structure from the input data helps prevent SQL injection attacks by ensuring that data is never treated as executable code.
Supported data types
A parameter value can be one of the following data types:
1.1 Parameterized Query Example using and SQL The following excerpt shows how to use a parameterized SQL query with InfluxDB v3 and the influxdb3-go client :
Status:
intervaldata types or withinINTERVALliterals or for integers in timestamp conditions. See examples. Waiting to hear more from @erratic-pattern.