This page is incomplete! Help wanted!

Please finish this page using the corresponding Old Wiki article.
Go to Contribution guidelines for more information.

---

This function escapes arguments in the same way as dbQuery, except dbPrepareString returns the query string instead of processing the query. This allows you to safely build complex query strings from component parts and help prevent (one class of) SQL injection.

Syntax

 dbPrepareString ( )

Code Examples

Example 1 Example 2

server

This example shows how to safely build a dynamic SELECT query

serialsToUse = { "111", "222", "333" }

local queryString = dbPrepareString( connection, "SELECT * FROM `player_info` WHERE true" )
for _,serial in ipairs(serialsToUse) do
    queryString = queryString .. dbPrepareString( connection, " AND `serial`=?", serial )
end
local handle = dbQuery( connection, queryString )

server

This example shows how to build an INSERT/UPDATE query for multiple rows. (Query syntax is MySQL only and assumes one column is a unique key)

local queryString = dbPrepareString( connection, "INSERT INTO `player_info` (name,serial,ispoopoohead) VALUES " )
for idx,info in ipairs(playerInfos) do
    if idx > 1 then
        queryString = queryString .. ","
    end
    queryString = queryString .. dbPrepareString( connection, "(?,?,?)", info.name, info.serial, info.ispoopoohead )
end
queryString = queryString .. dbPrepareString( connection, " ON DUPLICATE KEY UPDATE name=VALUES(name),serial=VALUES(serial),ispoopoohead=VALUES(ispoopoohead) " )
dbExec( connection, queryString );

See Also

Database Functions

• dbConnect
• dbExec
• dbFree
• dbPoll
• dbPrepareString
• dbQuery
• executeSQLQuery

Reference

• Scripting Functions