https://netsuiteprofessionals.com logo
Join Slack
Powered by
Hi, does anyone use the "params" when running Suit...
# suiteql
t
Hi, does anyone use the "params" when running SuiteQL vs just using string interpolation? It seems far worse with no benefit and even after trying 20 combinations of stringifying strings with commas here and there I can't make the params happy with anything other than basic singular values
m
Copy code
const paramPlaceholders = Array.from({ length: accountIds.size }, () => "?").join();

const sql = `
  SELECT
	id AS segment,
	custrecord_cs_wm_gl_segment_account AS account
  FROM
	customrecord_cseg_gl_segment
  WHERE
	custrecord_cs_wm_gl_segment_account IN (${paramPlaceholders})
`;

return query
  .runSuiteQL({ query: sql, params: Array.from(accountIds) })
  .asMappedResults()
t
Are you using a Map / Set here?
okay yeah you are, if you do this it creates a ? for each element so then it can replace it with the corresponding value in params. I think its way easier and more readable to just directly throw the values vs the ? in the statement though, no?
m
Yes, that’s right. You can use direct string interpolation. Ideally, though, parameter placeholders are better when the input comes from external sources, as they help prevent SQL injection. In my example, the account IDs came from a controlled query, so the risk was minimal, but I still prefer to use params by default rather than dynamic queries wherever possible.
t
SuiteQL doesn't have write capabilities though and isn't a public system you have to work for the company or be contracted. Sure they could query for tables to get information on things their role might not allow. If a user was doing that though they probably have 100x other ways they got there first though
m
I agree the risk with SuiteQL is quite low. It’s a good habit I carried through from my PHP days
6 Views
Open in Slack
PreviousNext
Powered by