...
The only thing you need to be careful of is to make sure that values coming from external sources are properly escaped. We will use the conn:quote{} function to do this. The using conn:quote{} function quotes all returned strings, so you must not add quotes around strings in SQL query text. Other than this, all you have to do is concatenate your strings to create the stored procedure call - take a look at the strategies for writing dynamic SQL statements.
...
Take the following example stored procedure:
| Code Block | ||
|---|---|---|
| ||
CREATE PROCEDURE GetPatientByLastName(IN LastName TEXT)
BEGIN
SELECT * FROM Patients WHERE LastName = LastName;
END; |
In Iguana, we can execute this stored procedure using conn:execute{}:
| Code Block | ||
|---|---|---|
| ||
-- Prepare the SQL call
local sqlCall = "CALL GetPatientByLastName(" .. conn:quote(lastName) .. ")"
-- Execute the stored procedure
local result = conn:query{sql=sqlCall} |