Why does runPrepUpdate take a list and runNamedQuery take a dictionary for parameters?

zacharyw.larson · June 6, 2023, 2:37pm

I think there is something for me to learn there.

lrose · June 6, 2023, 2:41pm

Because the parameter replacement method is different.

The runPrep* functions take a list and they assume that the first element of the list should replace the first ? encountered in the provided query, and so on until the length of the list is reached.

Named Queries on the other hand use Named parameters, and so the function needs a way to identify which parameter the value should be substituted for.

zacharyw.larson · June 6, 2023, 2:44pm

Is runNamedQuery safe to call in a script on a button if the parameters are values and not query strings, but it is running a delete update?

Or do in need to convert these to runPrepUpdate?

lrose · June 6, 2023, 2:51pm

Yes, runNamedQuery is perfectly safe to call from a script if the parameters are not query strings. It's safe even if query strings are used so long as you are not allowing un-sanitized user input into those parameters.

zacharyw.larson · June 6, 2023, 2:52pm

Thanks, my brain was short circuiting.

I was pretty sure that was correct, but I also for some reason think first of runPrepUpdate as a more robust solution, though I think it is more like another tool rather than actually more robust.

lrose · June 6, 2023, 3:01pm

I would say it is actually the other way around. If you can use a named query you should.

The runPrep* functions are useful when you need to construct a query dynamically based on some user input, like filtering columns that are returned.

You can accomplish everything in the runPrep* functions that you can in Named queries, however, you end up with essentially the same query in multiple places. Named Queries solve this issue by centralizing the query to one place so that if you need to edit the query you only need to update it in one place.

zacharyw.larson · June 6, 2023, 3:11pm

Thanks