Placeholders
Placeholders allow for query parameters to be safely executed, preventing common SQL injection methods (opens in a new tab).
Parameters can be passed an an array or object (referred to as named parameters).
local identifier = 'license:abc123'
local group = 'admin'
MySQL.scalar('SELECT `username` FROM `users` WHERE `identifier` = ? AND `group` = ?', { identifier, group })
-- Named placeholders (deprecated)
MySQL.scalar('SELECT `username` FROM `users` WHERE `identifier` = @identifier AND `group` = @group', {
group = group
identifier = identifier
})
These are distinct from prepared statements which are handled by the MySQL server; you can use MySQL.prepare
for more optimised and secure queries.