Prepared Statements - Parameterized Queries | Tags

<h2 id="prepared-statements-in-geode" class="position-relative d-flex align-items-center group"> Prepared Statements in Geode <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="prepared-statements-in-geode" aria-haspopup="dialog" aria-label="Share link: Prepared Statements in Geode"> Share link </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Prepared statements (parameterized queries) are essential for secure and efficient database operations. They separate query structure from data, preventing injection attacks and enabling query plan caching for better performance. <h3 id="why-use-prepared-statements" class="position-relative d-flex align-items-center group"> Why Use Prepared Statements? <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="why-use-prepared-statements" aria-haspopup="dialog" aria-label="Share link: Why Use Prepared Statements?"> Share link </button> </h3>Security: Parameters are never interpreted as GQL code, eliminating injection vulnerabilities. Performance: Query plans are cached and reused, avoiding repeated parsing and optimization. Correctness: Proper type handling for all data types including strings with special characters. <h3 id="basic-usage" class="position-relative d-flex align-items-center group"> Basic Usage <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="basic-usage" aria-haspopup="dialog" aria-label="Share link: Basic Usage"> Share link </button> </h3>Python client: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python">from geode_client import Client async def find_user(user_id: int): client = Client(host="localhost", port=3141) async with client.connection() as conn: # Parameters passed separately from query result, _ = await conn.query(""" MATCH (u:User {id: $user_id}) RETURN u.name, u.email """, {'user_id': user_id}) # Safe parameterization return result </code></pre></div>Go client: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go">import ( "database/sql" _ "geodedb.com/geode" ) func findUser(db *sql.DB, userID int) (*User, error) { row := db.QueryRow( "MATCH (u:User {id: $1}) RETURN u.name, u.email", userID, // Parameter binding ) var name, email string err := row.Scan(&name, &email) return &User{Name: name, Email: email}, err } </code></pre></div>Rust client: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-rust" data-lang="rust">use geode_client::{Client, params}; async fn find_user(client: &Client, user_id: i64) -> Result<User, Error> { let result = client.query( "MATCH (u:User {id: $user_id}) RETURN u.name, u.email", Some(params!{"user_id" => user_id}) // Type-safe parameters ).await?; // Process result... Ok(user) } </code></pre></div> <h3 id="injection-prevention" class="position-relative d-flex align-items-center group"> Injection Prevention <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="injection-prevention" aria-haspopup="dialog" aria-label="Share link: Injection Prevention"> Share link </button> </h3>Vulnerable code (NEVER DO THIS): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"># DANGEROUS: String concatenation allows injection user_input = "'; DELETE (n); MATCH (x" query = f"MATCH (u:User {{name: '{user_input}'}}) RETURN u" await conn.query(query) # Injection attack! </code></pre></div>Safe code: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"># SAFE: Parameters are never interpreted as GQL user_input = "'; DELETE (n); MATCH (x" await conn.query( "MATCH (u:User {name: $name}) RETURN u", {'name': user_input} # Treated as literal string value ) </code></pre></div> <h3 id="parameter-types" class="position-relative d-flex align-items-center group"> Parameter Types <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="parameter-types" aria-haspopup="dialog" aria-label="Share link: Parameter Types"> Share link </button> </h3>Geode supports parameters for all GQL data types: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"># Various parameter types await conn.query(""" CREATE (n:Node { string_val: $str, int_val: $num, float_val: $decimal, bool_val: $flag, list_val: $items, map_val: $metadata, null_val: $empty }) """, { 'str': 'hello', 'num': 42, 'decimal': 3.14, 'flag': True, 'items': [1, 2, 3], 'metadata': {'key': 'value'}, 'empty': None }) </code></pre></div> <h3 id="batch-operations-with-parameters" class="position-relative d-flex align-items-center group"> Batch Operations with Parameters <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="batch-operations-with-parameters" aria-haspopup="dialog" aria-label="Share link: Batch Operations with Parameters"> Share link </button> </h3>Use UNWIND with parameter lists for efficient batch operations: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python">users = [ {'name': 'Alice', 'email': '[email protected]'}, {'name': 'Bob', 'email': '[email protected]'}, ] await conn.query(""" UNWIND $users AS user CREATE (u:User {name: user.name, email: user.email}) """, {'users': users}) </code></pre></div> <h3 id="performance-benefits" class="position-relative d-flex align-items-center group"> Performance Benefits <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="performance-benefits" aria-haspopup="dialog" aria-label="Share link: Performance Benefits"> Share link </button> </h3>Prepared statements enable query plan caching: <ol> <li>First execution: Parse query, optimize, cache plan</li> <li>Subsequent executions: Reuse cached plan with new parameters</li> </ol> For frequently executed queries, this eliminates parsing overhead entirely. <h3 id="best-practices" class="position-relative d-flex align-items-center group"> Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="best-practices" aria-haspopup="dialog" aria-label="Share link: Best Practices"> Share link </button> </h3>Always use parameters: Never concatenate user input into queries. Use meaningful parameter names: <code>$user_id</code> is clearer than <code>$1</code> or <code>$p</code>. Validate at application level: Parameters prevent injection but don’t validate business logic. Batch with UNWIND: For multiple similar operations, use UNWIND with a parameter list instead of multiple queries. <h3 id="related-topics" class="position-relative d-flex align-items-center group"> Related Topics <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-topics" aria-haspopup="dialog" aria-label="Share link: Related Topics"> Share link </button> </h3><ul> <li><a href="/tags/security/" >Security</a> </li> <li><a href="/tags/performance/" >Performance</a> </li> <li><a href="/tags/query-optimization/" >Query Optimization</a> </li> <li><a href="/tags/gql-reference/" >GQL Reference</a> </li> <li><a href="/docs/client-libraries/" >Client Libraries</a> </li> </ul>

Popular

Prepared Statements - Parameterized Queries

Related Articles