update (2/25/2013)
The new syntax will be, allowing for the existing syntax as well as allowing for a prepared statement to be defined with an object.
// plain query
collection.fetch({
query: 'select * from some_table where column1 = "somevalue"'
});
// prepared statement
collection.fetch({
query: {
statement: 'select * from some_table where column1 = ?',
params: [values]
}
});
original
Currently there is no support for prepared statements. The only way to make an SQL statement with parameters is to have code insert the parameters. This is a security risk, a bad practice, and reflects poorly on Alloy models as a whole.
Currently I have to:
collection.fetch({query: "select * from some_table where column1 = '" + value + "'");
Ideally I would like to:
collection.fetch({query: "select * from some_table where column1 = ?" + params: [value]});
Assuming this uses the Ti.Database.execute() in the background, this should be a small change as the execute() method already supports this.
The proposed syntax doesn't make much sense, in that it's using inline concatenation of arguments, making it look like some kind of string:
collection.fetch({ query: "select * from some_table where column1 = ?" + params: [value] });collection.fetch({ query: "select * from some_table where column1 = ?", params: [value] });collection.fetch({ query: { statement: "select * from some_table where column1 = ?", params: [values] } });You're correct in your assumption, I intended a comma instead of a plus sign. However, I do like your proposal better. Thank you.
Sample code available in https://github.com/appcelerator/alloy/tree/1_1_X/test/apps/models/sql_queries Verified as fixed. Alloy: 1.1.0-cr CLI version: 3.1.0-cr TiSDK: 3.1.0.v20130408154547 Closing.