Hacker News new | ask | show | jobs
by paol 3647 days ago
This is absolutely good advice, but people giving it rarely acknowledge that it isn't always possible.

A particular irritant is that most (all?) db APIs make it impossible to use parametrized queries with IN clauses. I find myself having to implement string escaping functions sooner or later in every project, because of stuff like that.
6 comments
tbrownaw 3647 days ago
That's when you combine parameterized queries and concatenated SQL:

    sql = '... col_name IN ('
    foreach(var arg in args)
      if (!first)
        sql.append(', ')
      sql.append('?')
      params.add(arg)
    sql.append(')')
link
masklinn 3647 days ago
> A particular irritant is that most (all?) db APIs make it impossible to use parametrized queries with IN clauses

Psycopg2 has a generic adaptation of iterables to a form suitable for IN, but it's hand-rolled: https://github.com/psycopg/psycopg2/blob/732ea90a4ff85f6d0cc...

Real convenient though.

link
tmd83 3647 days ago
This is such an irritant. Everyone supports variable size IN clause in the form of a sub-select AFAIK. You should be able to abstract the parsing and have an api to address that. Yet for years its missing and you end up all sorts of garbage under-performing code.

Our current solution is to use of temporary table because other solutions (including dynamically adding parameter in query) makes them unique queries and crashes performance.

link
icebraining 3647 days ago
At least in Postgres, you can use ANY and pass an array of values. From what I've read, the generated query plan is equivalent.
link
masklinn 3647 days ago
> From what I've read, the generated query plan is equivalent.

I believe at one point IN (values) was just sugar for = ANY(ARRAY(values)), don't know if that's still the case.

Still requires that your DB adapter supports array parameters though.

link
snuxoll 3647 days ago
Alternatively, you can use a temp table and a join. Not ideal, but still safe from injection and should have roughly the same overhead in the database.
link
batbomb 3647 days ago
This isn't the case with oracle, MySQL, or hsqldb, at least when using jdbc. I believe it's also not true for SQLite and postgres.
link
continuational 3647 days ago
select * from Person where email = any(?)
link