The prepare object command against the connection accepts arbitrary SQL code to be executed against the database. The SQL code may contain bound variables, which are strings of alphanumeric characters or underscores (the first character of the string may not be numeric), prefixed with a colon (:). If a bound variable appears in the SQL statement, and is not in a string set off by single or double quotes, nor in a comment introduced by --, it becomes a value that is substituted when the statement is executed. A bound variable becomes a single value (string or numeric) in the resulting statement. Drivers are responsible for ensuring that the mechanism for binding variables prevents SQL injection.
The preparecall object command against the connection accepts a stylized statement in the form:
procname (?:varname? ?,:varname...?)
or
varname = procname (?:varname? ?,:varname...?)
This statement represents a call to a stored procedure procname in the database. The variable name to the left of the equal sign (if present), and all variable names that are parameters inside parentheses, become bound variables.
The params method against a statement object enumerates the bound variables that appear in the statement. The result returned from the params method is a dictionary whose keys are the names of bound variables (listed in the order in which the variables first appear in the statement), and whose values are dictionaries. The subdictionaries include at least the following keys (database drivers may add additional keys that are not in this list).
The paramtype object command allows the script to specify the type and direction of parameter transmission of a variable in a statement. (Some databases provide no method to determine this information automatically and place the burden on the caller to do so.) The direction, type, precision, scale, and nullable arguments have the same meaning as the corresponding dictionary values in the params object command.
The execute object command executes the statement. Prior to executing the statement, values are provided for the bound variables that appear in it. If the dict parameter is supplied, it is searched for a key whose name matches the name of the bound variable. If the key is present, its value becomes the substituted variable. If not, the value of the substituted variable becomes a SQL NULL. If the dict parameter is not supplied, the execute object command searches for a variable in the caller's scope whose name matches the name of the bound variable. If one is found, its value becomes the bound variable's value. If none is found, the bound variable is assigned a SQL NULL as its value. Once substitution is finished, the resulting statement is executed. The return value is a result set object (see tdbc::resultset for details).
The resultsets method returns a list of all the result sets that have been returned by executing the statement and have not yet been closed.
The allrows object command executes the statement as with the execute object command, accepting an optional dict parameter giving bind variables. After executing the statement, it uses the allrows object command on the result set (see tdbc::resultset) to construct a list of the results. Finally, the result set is closed. The return value is the list of results.
The foreach object command executes the statement as with the execute object command, accepting an optional dict parameter giving bind variables. After executing the statement, it uses the foreach object command on the result set (see tdbc::resultset) to evaluate the given script for each row of the results. Finally, the result set is closed, even if the given script results in a return, an error, or an unusual return code.
The close object command removes a statement and any result sets that it has created. All system resources associated with the objects are freed.
package require tdbc::sqlite3 tdbc::sqlite3::connection create db phonebook.sqlite3 set statement [db prepare { select phone_num from directory where first_name = :firstname and last_name = :lastname }] set firstname Fred set lastname Flintstone $statement foreach row { puts [dict get $row phone_num] } $statement close db close