Skip to content

Feature: --param NAME=VAL named SQL parameter binding #197

Description

@vmvarela

Context

sqlite-utils supports -p name value for binding named :name parameters in SQL. sql-pipe currently requires manual string concatenation in the query, which is fragile and risky (SQL injection).

Proposed flag

-p, --param NAME=VAL    Named SQL parameter (repeatable)

UX examples

# Safe parameterized query
sql-pipe data.csv -p id=42 "SELECT * FROM data WHERE id = :id"

# Multiple params
sql-pipe data.csv -p min=10 -p max=50 "SELECT * FROM data WHERE val BETWEEN :min AND :max"

Scope (v1)

  • Use SQLite sqlite3_bind_parameter_index + sqlite3_bind_text to bind named params
  • Fatal error on unknown parameter name (Levenshtein suggestion if possible)
  • All values bound as TEXT (consistent with sql-pipe type inference behavior)
  • Repeatable flag

Excluded (YAGNI)

  • Typed parameters (bool, int, date) in v1 — everything is text; SQL can cast if needed
  • Positional parameters (?1, ?)
  • Named params without matching :name in query (just fatal error)

Files affected

  • src/args.zig — parse -p/--param flag, collect into Param{name, value} list
  • src/main.zig — in execQuery() or the prepare step, bind parameters before step

Acceptance criteria

  • -p id=42 "SELECT * FROM t WHERE id = :id" filters correctly
  • -p name="hello world" handles values with spaces and quotes
  • Missing :param in query gives clear error
  • Integration test with multiple params

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority:highMust be in the next sprintsize:sSmall — 1 to 4 hoursstatus:readyRefined and ready for sprint selectiontype:featureNew functionality

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions