can I use a parameter in a select statement? For instance, I have:
Select firstname from …
and the table has firstname, lastname, city, etc. So I set up a parameter of attribute_name, string and I pass ‘firstname’
Can I then:
select :attribute_name from …
Hi @iyotah !
We don’t support this natively and that’s because it is generally considered bad or unsafe practice. Oftentimes, parameters are used to restrict changes to the structure of the SQL query while still allowing some flexibility in the query.
The workaround is to use the CASE statement. The CASE expression workaround is safe because you still have to list all the possible fields in the CASE expression. Here, the CASE expression limits the field names values that can be used by the query.
Something like this is what you should do:
when 'name' then name
when 'phone' then phone
END as answer
this forces you to manually enumerate the “allowed” strings that will be translated into paths and doesn’t allow “broadening” of access