Placeholders

Placeholders

Placeholders allow for query parameters to be safely executed, preventing common SQL injection methods (opens in a new tab).

Parameters can be passed an an array or object (referred to as named parameters).

local identifier = 'license:abc123'
local group = 'admin'
 
MySQL.scalar('SELECT `username` FROM `users` WHERE `identifier` = ? AND `group` = ?', { identifier, group })
 
-- Named placeholders (deprecated)
MySQL.scalar('SELECT `username` FROM `users` WHERE `identifier` = @identifier AND `group` = @group', {
    group = group
    identifier = identifier
})

These are distinct from prepared statements which are handled by the MySQL server; you can use MySQL.prepare for more optimised and secure queries.