So I have a query to create table, but the column names and table names are dynamic, the user can change them. But when i try to execute my query as {{state.createTableSQL}} where createTableSQL holds the query, it parameterizes and gives an error {
query: “tate.createTableSQ”,
params: [
“CREATE TABLE newtable (“dfghj” INT, “egsrdghv” FLOAT);”
]
}
does anyone know how to go about it? Any help is appreciated thank you!
Hi @RGB,
The thing with {{ ... }} variables and queries is that the variables are meant to be the dynamic data in the query, not the whole query itself.
Whenever there is such a variable in a query, UI Bakery takes the value of that variable, replaces it with a ? question mark and stores the value in the parameters. As you said, it parameterizes.
These so-called prepared statements are enabled by default for data sources because they make executing the same query multiple times more efficient and also prevent/eliminate SQL-injection.
To disable this behavior and make your queries run, go to your data sources settings, find this checkbox and disable it:
But, if you disable it, user inputs must be sanitized, or you risk SQL-injection. To keep things neat and clean, you can create a global function that does that, so you can just wrap the dynamic values on the go like {{ mySanitizingFunction(state.queryData.variableName) }} inside the query step.
I can recommend just keeping the dynamic values in a state object (or some other way) and already hard-coding the static parts into the query step. Like this, for example:
Makes it easier to debug, maintain and modify, at least I think so.
2 Likes
Thank you so much! This really helps a lot! 
1 Like