Prepared statement support

jsuto · December 29, 2022, 7:10am

I have an app written in C, and would like to use prepared statements to add documents to an index. However, manticore says “unknown command”

When I use “insert into table1 (id, title) values(1, ‘aaa’)”, then it succeeds.
Then I try the following prepared statement: “insert into table1 (id, title) values(?,?)”

This happens on the wire:

T 127.0.0.1:52662 → 127.0.0.1:9306 [AP] #158
…INSERT INTO table1 (id, title) VALUES(?,?)

T 127.0.0.1:9306 → 127.0.0.1:52662 [AP] #159
"…#08S01unknown command (code=22)

So the question is how to add documents safely to an index? I assume I just can’t or at least shouldn’t blindly concatenate the sql insert statement string as it contains untrusted input.

Sergey · December 29, 2022, 7:13am

Manticore doesn’t support that part of the mysql protocol which is responsible for prepared statements, so you have to prepare a full query on the app’s side escaping the values properly.

jsuto · December 29, 2022, 7:14am

Thank you for the response. Any plans to support it in future manticore releases?

Sergey · December 29, 2022, 7:17am

It’s not in our nearest plans.

jsuto · December 17, 2023, 5:18pm

What are the current plans? Is prepared statement support among them? I could really use this feature.

tomat · December 18, 2023, 8:29am

it is still in the backlog