Support for prepared statements

[Antokolos]

As I've understood, there is no support for prepared statements right now, therefore I'm forced to write the statements with parameters in the following way: db.query("UPDATE players SET player_name = '%s' WHERE steam_id = %d" % [player_name, steam_ID]) which is obviously very dangerous because of potential SQL injections It would be very very nice, if support for prepared statements would be added. Maybe, for example, these functions: https://www.sqlite.org/c3ref/bind_blob.html

[Antokolos]

P.S.: and it would be super great, if we can do it in one line! :) For example, query above: db.query("UPDATE players SET player_name = '%s' WHERE steam_id = %d" % [player_name, steam_ID]) should be changed to something like: db.query("UPDATE players SET player_name = ? WHERE steam_id = ?", player_name, steam_ID) and the library processes variables under the hood, determines the type of the variable and calls the corresponding sqlite3bind* function, if this is, of course, possible :)

[TGRCdev]

I put a bit of work into this. Right now, I have it working with query() using a PoolStringArray to pass arguments.

Unfortunately, now query() REQUIRES a PoolStringArray for the second argument, even if it's empty. GDNative does not support variadic arguments, so I'm trying to see if I can make the default argument an empty array.

Worst case scenario, I can make a new function called query_with_args(), and leave query() alone.

Thoughts?

EDIT: Added parameter binding to fetch_array() and confirmed that SQL injections are prevented.

[Antokolos]

Wow, great to hear that you already implemented it! Hope it gets merged into master soon! As for the function names, in my opinion query_with_args() is acceptable, but let's see, what @khairul169 thinks about it.

[khairul169]

That was great, Thanks! :)