Skip to main content

2023.2.0 to 2023.2.2

1. SqlBuilder: Format for Prepared Statements Removed

What changed

The SqlBuilder no longer supports the prepared statement format ["Query", [Value, Type]]. A new library PreparedSqlStatement_lib introduces the PreparedSqlStatement object, which must now be used explicitly.

Why it matters

This change prevents SQL injections from unvalidated arrays, especially when parsed from external sources. The update strengthens input validation and aligns with best practices for secure SQL construction.

Recommended actions

Add PreparedSqlStatement_lib and Sql_lib to your system.
Refactor any previous usage of ["Query", [Value, Type]] to use either:
- PreparedSqlStatement.fromArray(["Query", [Value, Type]]) for backward compatibility, only with validated data.
- Or directly instantiate: new PreparedSqlStatement("Query", [Value, Type])

warning

Never use PreparedSqlStatement.fromArray() with unvalidated external input, such as:

var stmt = PreparedSqlStatement.fromArray(vars.get($param.statements)); // UNSAFE

Always validate or quote input before use.

1. SqlBuilder: Format for Prepared Statements Removed