mirror of
https://github.com/strapi/strapi.git
synced 2025-10-31 09:56:44 +00:00
77 lines
2.4 KiB
Markdown
Executable File
77 lines
2.4 KiB
Markdown
Executable File
# Raw
|
|
|
|
Sometimes you may need to use a raw expression in a query. Raw query object may be injected pretty much anywhere you want, and using proper bindings can ensure your values are escaped properly, preventing SQL-injection attacks.
|
|
|
|
## Raw Parameter Binding
|
|
|
|
One can parameterize SQL given to `strapi.connections.default.raw(sql, bindings)`. Parameters can be positional named. One can also choose if parameter should be treated as value or as SQL identifier e.g. in case of `TableName.ColumnName` reference.
|
|
|
|
```js
|
|
strapi.connections.default('users')
|
|
.select(strapi.connections.default.raw('count(*) as user_count, status'))
|
|
.where(strapi.connections.default.raw(1))
|
|
.orWhere(strapi.connections.default.raw('status <> ?', [1]))
|
|
.groupBy('status')
|
|
```
|
|
|
|
Positional bindings `?` is interpret as value and `??` as identifier:
|
|
|
|
```js
|
|
strapi.connections.default('users')
|
|
.where(strapi.connections.default.raw('?? = ?', ['user.name', 1]))
|
|
```
|
|
|
|
Named bindings `:name` is interpret as value and `:name:` as identifier:
|
|
|
|
```js
|
|
strapi.connections.default('users')
|
|
.where(strapi.connections.default.raw(':name: = :thisGuy or :name: = :otherGuy', {
|
|
name: 'users.name',
|
|
thisGuy: 'Bob',
|
|
otherGuy: 'Jay'
|
|
}))
|
|
```
|
|
|
|
For simpler queries where one only has a single binding, `.raw` can accept said binding as its second parameter :
|
|
|
|
```js
|
|
strapi.connections.default('users')
|
|
.where(
|
|
strapi.connections.default.raw('LOWER("login") = ?', 'strapi')
|
|
)
|
|
.orWhere(
|
|
strapi.connections.default.raw('accesslevel = ?', 1)
|
|
)
|
|
.orWhere(
|
|
strapi.connections.default.raw('updtime = ?', new Date())
|
|
)
|
|
```
|
|
|
|
Note that due to ambiguity, arrays must be passed as arguments within a containing array :
|
|
|
|
```js
|
|
strapi.connections.default
|
|
.raw('select * from users where id in (?)', [[1, 2, 3]])
|
|
```
|
|
|
|
To prevent replacement of `?` one can use escape sequence `\\?`.
|
|
|
|
```js
|
|
strapi.connections.default
|
|
.select('*').from('users')
|
|
.where('id', '=', 1)
|
|
.whereRaw('?? \\? ?', ['jsonColumn', 'jsonKey'])
|
|
```
|
|
|
|
## Raw expressions
|
|
|
|
Raw expressions are created by using `strapi.connections.default.raw(sql, [bindings])` and passing this as a value for any value in the query chain.
|
|
|
|
```js
|
|
strapi.connections.default('users')
|
|
.select(strapi.connections.default.raw('count(*) as user_count, status'))
|
|
.where(strapi.connections.default.raw(1))
|
|
.orWhere(strapi.connections.default.raw('status <> ?', [1]))
|
|
.groupBy('status')
|
|
```
|