To submit a query, use the following function:
get rigDbQuery("YOUR QUERY HERE")
The rigDbQuery() function returns a database result array when "read" type queries are run. When "write" type queries are run it simply returns TRUE or FALSE depending on success or failure. When retrieving data you will typically assign the query to your own variable, like this:
put rigDbQuery("YOUR QUERY HERE") into tQuery
This is a simplified version of the rigDbQuery() function. It ONLY returns TRUE/FALSE on success or failure. It DOES NOT return a database result set, nor does it set the query timer, or compile bind data, or store your query for debugging. It simply lets you submit a query. Most users will rarely use this function.
Adding Database prefixes manually
If you have configured a database prefix and would like to add it in manually for, you can use the following.
get rigDbPrefix("tablename") -- outputs prefixtablename
In many databases it is advisable to protect table and field names - for example with backticks in MySQL. Active Record queries are automatically protected, however if you need to manually protect an identifier you can use:
This function will also add a table prefix to your table, assuming you have a prefix specified in your database config file. To enable the prefixing set TRUE (boolen) via the second parameter:
get rigProtectIdentifiers("tabelName", TRUE)
It's a very good security practice to escape your data before submitting it into your database. revIgniter has three functions that help you do this:
- rigDbEscape() This function determines the data type so that it
can escape only string data. It also automatically adds single quotes around the data so you don't have to:
put "INSERT INTO table (title) VALUES(" & rigDbEscape(tTitle) & ")" into tSQL
- rigEscapeStr() This function escapes the data passed to it, regardless of type.
Most of the time you'll use the above function rather than this one. Use the function like this:
put "INSERT INTO table (title) VALUES('" & rigEscapeStr(tTitle) & "')" into tSQL
- rigEscapeLikeStr() This function should be used when strings are to be used in LIKE
conditions so that LIKE wildcards ('%', '_') in the string are also properly escaped.
put "20% raise" into tSearch put "SELECT id FROM table WHERE column LIKE '%" & rigEscapeLikeStr(tSearch) & "%'" into tSQL
Note: This function converts "true" and "false" to 1 and 0 respectively. If for what ever reason you need to store booleans as strings in your database you should use the rigEscapeStr() function instead.
Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:
put "SELECT * FROM some_table WHERE id = :1 AND status = :2 AND author = :3" into tSQL put 3 into tArray put "live" into tArray put "Rick" into tArray get rigDbQuery(tSQL, tArray)
The sequential numbers prepended by a colon in the query are automatically replaced with the values in the array in the second parameter of the rigDbQuery function. You can use a comma separated list too, instead of an array.
The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; revIgniter does it automatically for you.