Fork me on GitHub
#sql
<
2017-06-17
>
petr.mensik15:06:09

Hello guys, is there a way how to pass function params in a safe way in prepared statements? I am using Korma with exec-raw to execute this query

(str "UPDATE " (ComponentTypes component-name)
       " SET tags = tags || ['?']::jsonb WHERE id = ?"))
Then I am calling it with (exec-raw [(get-tag-update-query component-name) [tag id]])) and I am getting The column index is out of range :2, so it basically doesn't recognize the first parameter. It doesn't work even if I remove single quotes. Thanks for help

seancorfield16:06:52

I'm surprised it doesn't work when you remove the ' but the brackets may be escaping it.

seancorfield16:06:50

Korma does all sorts of "magic" so I'd recommend trying that update with raw java.jdbc and see if it works.

petr.mensik16:06:41

@seancorfield sure but I would expect Korma to just pass the query to JDBC without any magic when calling exec-raw. But I am gonna try that, thanks

seancorfield16:06:38

It'll certainly be easier to debug pure java.jdbc 😈 I can help you there, but not with Korma.

seancorfield16:06:21

What DB are you using? I've never seen SQL like that...

petr.mensik16:06:33

PostgreSQL, it has json(b) type to allow work with JSON (so you can achieve same things like with Mongo but you don't lose relations, transactions, etc)

petr.mensik16:06:07

this query just adds an elements into JSON array which is stored in JSONB column