Pass user input into a SQL query

Problem

You need to pass user input into a SQL query function.

Solution

Use client-side interpolation {{ }} to pass the value of an input field component into a SQL function as a string.

In the following example sqlSearchInput is an Input component attached to the same Page page as the function.

Code Example

SELECT
  COUNT(*)
FROM
  users
WHERE
  {{ !sqlSearchInput.value }}
  OR name ILIKE {{ "%" + sqlSearchInput.value + "%" }}
  OR email ILIKE {{ "%" + sqlSearchInput.value + "%" }}

Discussion

• Dynaboard escapes input into SQL functions to prevent SQL injection.
• The client-side interpolation takes the value of the input from the client, serializes it, and then passes it to the server where it is included in the SQL function as an escaped string.

See also

• Securely store and use a secret
• Pass user input into a REST API call
• Pass user input into a GraphQL API call
• Make a function run automatically