adminsql - execute arbitrary SQL

 

SYNOPSIS

<adminsql [options ...] [statement ...]>


DESCRIPTION
The adminsql function executes an arbitrary SQL command, constructed by concatenating its arguments together. The result rows of the command are printed in an HTML table, with the columns named after the fields. Unlike the SQL statement, there is no restriction on returned field names being valid Vortex variable names (e.g. convert(id, 'date') is ok). However, the fields are not returned; they are simply printed out. The arguments to adminsql are appended together as one string and executed. Note that this removes the argument protection afforded by the SQL statement. Any SQL parameters, like field values, are given as literals, e.g. string values must be in single quotes.

Several options are available. Note that since <adminsql> is implemented as a user (not builtin) function, options that take arguments must be quoted atomically with no space, e.g. "MAX=5".

  • SKIP=N Skips the first N result rows (does not print them). Added in version 5.01.1197080000 20071207.

  • MAX=N Prints at most N result rows (not including SKIP).


DIAGNOSTICS
adminsql returns nothing.


EXAMPLE

<$tbl = "SYSTABLES">  <adminsql "select" " * from " $tbl>


CAVEATS
The adminsql function was added Oct. 10 1996.

Note: No checking of the SQL is done before execution; it is the caller's responsibility. The caller must ensure that the statement is correct, and no "rogue" SQL is being inserted (aka "SQL injection"), e.g. a value of "; DROP TABLE xyz" for some field value. The parameter protections of the SQL statement (here) are not applied to adminsql's arguments. It is safer to use the SQL statement where possible, which can protect against SQL injection; adminsql is primarily useful only for tables with unknown column names (e.g. "SELECT *").


SEE ALSO
SQL, createdb


Copyright © Thunderstone Software     Last updated: Dec 10 2018
Copyright © 2019 Thunderstone Software LLC. All rights reserved.