I have an app written in C, and would like to use prepared statements to add documents to an index. However, manticore says “unknown command”

When I use “insert into table1 (id, title) values(1, ‘aaa’)”, then it succeeds.
Then I try the following prepared statement: “insert into table1 (id, title) values(?,?)”

This happens on the wire:

T 127.0.0.1:52662 → 127.0.0.1:9306 [AP] #158
…INSERT INTO table1 (id, title) VALUES(?,?)

T 127.0.0.1:9306 → 127.0.0.1:52662 [AP] #159
"…#08S01unknown command (code=22)

So the question is how to add documents safely to an index? I assume I just can’t or at least shouldn’t blindly concatenate the sql insert statement string as it contains untrusted input.

Manticore doesn’t support that part of the mysql protocol which is responsible for prepared statements, so you have to prepare a full query on the app’s side escaping the values properly.

Thank you for the response. Any plans to support it in future manticore releases?

It’s not in our nearest plans.

What are the current plans? Is prepared statement support among them? I could really use this feature.

it is still in the backlog

How about 2 years later? Are prepared statements in the plans? It would make my app much more secure, because I wouldn’t have to concatenate an sql statement where input comes from untrusted sources. Escaping data is still a very suboptimal solution.

There’s a PR from a non-core team member: feat(prepare): add logic for prepare statments by 0xfourzerofour · Pull Request #3431 · manticoresoftware/manticoresearch · GitHub
and the related issue: Prepared statements like in mysql · Issue #1124 · manticoresoftware/manticoresearch · GitHub.
However, it still needs more work.

If an enterprise really needs this extra security and is able to sponsor development by the core team, we’ll be glad to adjust our priorities and complete the task.