[RFC] Parameterized statement

[czpmango]

Summary

A parameterized query is a query in which placeholders are used for parameters and the parameter values are supplied at execution time. The scope of parameters are within the current session.

Motivation

• preventing SQL Injection
• dynamic parameter transfer
• improve organization of repeated user data
• friendly to the plan cache

Usage explanation

• defining parameters

:param p1=>[1,2,3];
:param props=>[{a:1,b:2},{a:11}];
:param {p2:{a:1,b:2},l:1}

• using parameters

MATCH (v:player{age:$p1[0]}) 
WHERE v.age in $props 
UNWIND $props as prop 
RETURN v,prop,abs($p2.a+1),$p1, $p2.a,$props

Design explanation

• parse the parameter definition statement and write to session
• define the ParameterExpression and execute it at run time

Rationale and alternatives

• handling on the client (unfriendly to error checking)
• rewriting before optimizer (unfriendly to plan cache)
• ...

Unresolved questions

• Conflict with nGql's $var.

Future possibilities

[Shylock-Hg]

According to the description of cypher, the parameter is defined in client side. Do you consider it?

[czpmango]

According to the description of cypher, the parameter is defined in client side. Do you consider it?

You are right.
In the current design, the parameter is transparent to the client.
In fact, parameter is a client concept and should be defined and managed by the client.

[CPWstatic]

We had a feature list to track this, i'll close this firstly.