Allow use of prepared SQL statements in `{{#get_db_data:}}`.
Define prepared SQL statements in `LocalSettings.php` per database connection.
Examples
- One statement per connection:
In `LocalSettings.php`:
```
$edgDBServer ['rfam'] = 'mysql-rfam-public.ebi.ac.uk:4497';
$edgDBServerType['rfam'] = 'mysql';
$edgDBName ['rfam'] = 'Rfam';
$edgDBUser ['rfam'] = 'rfamro';
$edgDBPass ['rfam'] = '';
$edgDBPrepared ['rfam'] = <<<'SQL'
SELECT fr.rfam_acc, fr.rfamseq_acc, fr.seq_start, fr.seq_end
FROM full_region fr, rfamseq rf, taxonomy tx
WHERE rf.ncbi_id = tx.ncbi_id
AND fr.rfamseq_acc = rf.rfamseq_acc
AND tx.ncbi_id = ?
AND is_significant = 1 -- exclude low-scoring matches from the same clan
SQL;
```
In wikitext:
```
{{#get_db_data:
db = rfam
| from=whatever <!-- this parameter is ignored -->
| where=1=10116 <!-- this parameter is used to substitute question marks in prepared statement -->
| data=account=rfam_acc,sec=rfamseq_acc,start=seq_start,end=seq_end
}}
```
- Several statements per connection:
In `LocalSettings.php`:
```
$edgDBServer ['rfam'] = 'mysql-rfam-public.ebi.ac.uk:4497';
$edgDBServerType['rfam'] = 'mysql';
$edgDBName ['rfam'] = 'Rfam';
$edgDBUser ['rfam'] = 'rfamro';
$edgDBPass ['rfam'] = '';
$edgDBPrepared ['rfam'] = [
'sequences' => <<<'SEQ'
SELECT fr.rfam_acc, fr.rfamseq_acc, fr.seq_start, fr.seq_end
FROM full_region fr, rfamseq rf, taxonomy tx
WHERE rf.ncbi_id = tx.ncbi_id
AND fr.rfamseq_acc = rf.rfamseq_acc
AND tx.ncbi_id = ?
AND is_significant = 1 -- exclude low-scoring matches from the same clan
SEQ;,
'sno' => <<<'SNO'
SELECT fr.rfam_acc, fr.rfamseq_acc, fr.seq_start, fr.seq_end, f.type
FROM full_region fr, rfamseq rf, taxonomy tx, family f
WHERE
rf.ncbi_id = tx.ncbi_id
AND f.rfam_acc = fr.rfam_acc
AND fr.rfamseq_acc = rf.rfamseq_acc
AND tx.tax_string LIKE ?
AND f.type LIKE '%snoRNA%'
AND is_significant = 1 -- exclude low-scoring matches from the same clan
SNO];
```
In wikitext:
```
{{#get_db_data:
db = rfam
| from=sequences <!-- this parameter is used to choose one of the prepared statements -->
| where=1=10116 <!-- this parameter is used to substitute question marks in prepared statement -->
| data=account=rfam_acc,sec=rfamseq_acc,start=seq_start,end=seq_end
}}
```
If prepared SQL statements are defined for a database connection, arbitrary SQL queries are effectively disallowed.