Passing parameters to a query

来源:elastic 浏览 269 扫码分享 2020-09-20 00:39:08

Passing parameters to a query

Passing parameters to a query

Using values in a query condition, for example, or in a HAVING statement can be done “inline”, by integrating the value in the query string itself:

POST /_sql?format=txt
{
    "query": "SELECT YEAR(release_date) AS year FROM library WHERE page_count > 300 AND author = 'Frank Herbert' GROUP BY year HAVING COUNT(*) > 0"
}

or it can be done by extracting the values in a separate list of parameters and using question mark placeholders (?) in the query string:

POST /_sql?format=txt
{
    "query": "SELECT YEAR(release_date) AS year FROM library WHERE page_count > ? AND author = ? GROUP BY year HAVING COUNT(*) > ?",
    "params": [300, "Frank Herbert", 0]
}

The recommended way of passing values to a query is with question mark placeholders, to avoid any attempts of hacking or SQL injection.

当前内容版权归 elastic 或其关联方所有，如需对内容或内容相关联开源项目进行关注与资助，请访问 elastic .

本文档使用 BookStack 构建