PetaPoco icon indicating copy to clipboard operation
PetaPoco copied to clipboard
verified publisher icon CollaboratingPlatypus

Sql Builder

Open brodotnet opened this issue 3 years ago • 1 comments

Hi Everyone, i want a ask about Sql builder. I want to create database schema with postgreSql provider using sql builder function , but when this function executed with below code, the result always generated "0" as schema name

When i try with this code sql.Append("DECLARE myvar TEXT = @0 ; ","demo"); the result it should be DECLARE myvar TEXT = 'demo' instead it became like this DECLARE myvar TEXT = '0 . and i try with this code sql.Append($"DECLARE myvar TEXT = '{schemaName}' ; "); and its works. but I want to avoid sql injection, therefore I use sql builder function.

**Fullcode below **

  Sql sql = new Sql();
  sql.Append("DO $$");
  sql.Append($"DECLARE myvar TEXT = '{name}' ; ");
  sql.Append("BEGIN EXECUTE 'CREATE SCHEMA ' || quote_ident(myvar); END $$;");
  await database.ExecuteAsync(sql);

Thank you.

image

image

brodotnet avatar Aug 20 '22 16:08 brodotnet

I don't think this is an issue with PetaPoco -- the SQL fed to the command seems to be just what you asked for. Are you sure that Postgres allows the use of parameters in declaring a variable?

asherber avatar Aug 21 '22 11:08 asherber