HACKER Q&A
📣 lfconsult

Is there is an sqlite3_expanded_SQL()'s equivalent for other DBMS?


Hi HN,

I'm digging around in order to find a way to get back the SQL statement from a compiled statement with bound parameters (avoid SQLi) for others DBMS.

I've found - with excitements- that the SQLite C interface have a sqlite3_expanded_sql()* function to get exactly what I needed.

As I didn't found anything for SQLServer, I thought - at first - that it was just not possible at all because the SQL statement and parameters were sent separately (or, kind of, maybe the same compiled blob but without any chance to building back the raw SQL statement).

For example, the raw SQL statement is : SELECT * FROM Genre WHERE Name = ?

The bound parameter is : "Pop"

I would like to get back : SELECT * FROM Genre WHERE Name = 'Pop'

Maybe it's a profane question but I did spend a lot of time around in order to find what I need.

If you ever wonder why I'm asking this question, just for curiosity. In order to know if it's not even thinkable, doable, or just no implemented yet or if it depends of the DBMS or 42.

* https://sqlite.org/c3ref/expanded_sql.html


  👤 selecsosi Accepted Answer ✓
Not for sqlserver, but for postgres working w/ python, the psycopg library has a API for getting the bound parameter expression

https://www.psycopg.org/docs/cursor.html#cursor.mogrify


👤 yellow_lead
MariaDB doesn't have one, I've searched before.

👤 lfconsult
The result of sqlite3_expanded_sql() is a pointer to the string containing the SQL statement with bound parametrer(s):

"The string returned by sqlite3_expanded_sql(P) [...] is obtained from sqlite3_malloc() [...]"

From SQLite documentation: https://www.sqlite.org/c3ref/expanded_sql.html