Relintai/pandemonium_engine
1
0
Fork 0
mirror of https://github.com/Relintai/pandemonium_engine.git synced 2025-05-14 17:32:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added recommandations to PreparedStatement and QueryBuilder's docs.

Browse Source
This commit is contained in:
Relintai 2025-05-12 11:35:15 +02:00
parent 3bed872f84
commit b02ddfd5e2
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/database/doc_classes/PreparedStatement.xml
View File

@ -6,7 +6,8 @@
<description> <description>
Represents a prepared statement for use with a [Database]. Represents a prepared statement for use with a [Database].
Prepared statements are compiled and parametrized sql statements which can be used repeatedly. Prepared statements are compiled and parametrized sql statements which can be used repeatedly.
[PreparedStatement]s are an alternative to [QueryBuilder]. [PreparedStatement]s are an alternative to [QueryBuilder]. [QueryBuilder] is better for simple queries as it makes them database backend agnostic.
If multiple database backend support is desired [method Database.get_backend_name] can help in deciding what sql to use.
Prepared statements comes with a lot of added security, as SQL injection attacks doesn't work with them (as long as you use their parameters). However note that [QueryBuilder] will escape string parameters which expect to have user input in the for you too, so if you use [QueryBuilder] yuo should also be safe. Prepared statements comes with a lot of added security, as SQL injection attacks doesn't work with them (as long as you use their parameters). However note that [QueryBuilder] will escape string parameters which expect to have user input in the for you too, so if you use [QueryBuilder] yuo should also be safe.
Performance can differ compared to normal queries, but it seems like it depends on a lot of factors, so you will have to banchmark it yourself for heavy queries. It can be faster or slower. Performance can differ compared to normal queries, but it seems like it depends on a lot of factors, so you will have to banchmark it yourself for heavy queries. It can be faster or slower.
A prepared statement looks similar: A prepared statement looks similar:

5
modules/database/doc_classes/QueryBuilder.xml
View File

@ -1,10 +1,11 @@
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<class name="QueryBuilder" inherits="Reference"> <class name="QueryBuilder" inherits="Reference">
<brief_description> <brief_description>
A class that helps you with building and running database backend specific sql safely. A class that helps you with building and running database backend agnostic sql safely.
</brief_description> </brief_description>
<description> <description>
A class that helps you with building and running database backend specific sql safely. A class that helps you with building and running database backend agnostic sql safely.
Recommended for relative simple queries. For more advanced use cases [PreparedStatement]s are better.
Methods by default use escape on their parameters that can normally contain user input. For performance reasons other variants that don't do this also exist. These are prefixed with 'n'. For example [method select] vs [method nselect]. Don't use these with raw user input, as it will make your application vulnerable to sql injection attacks. Methods by default use escape on their parameters that can normally contain user input. For performance reasons other variants that don't do this also exist. These are prefixed with 'n'. For example [method select] vs [method nselect]. Don't use these with raw user input, as it will make your application vulnerable to sql injection attacks.
It contains helper methods that lets you run the finished query directly See [method run] and [method run_query]. It contains helper methods that lets you run the finished query directly See [method run] and [method run_query].
You should not allocate this directly, instead get it from you active database connection, like: You should not allocate this directly, instead get it from you active database connection, like: