Parameterized queries in Azure Cosmos DB for NoSQL

APPLIES TO: NoSQL

Azure Cosmos DB for NoSQL supports queries with parameters expressed by the familiar @ notation. Parameterized SQL provides robust handling and escaping of user input, and prevents accidental exposure of data through SQL injection.

Examples

For example, you can write a query that takes lastName and address.state as parameters, and execute it for various values of lastName and address.state based on user input.

SELECT
    *
FROM
    p
WHERE
    (NOT p.onSale) AND
    (p.price BETWEEN 0 AND @upperPriceLimit)

You can then send this request to Azure Cosmos DB for NoSQL as a parameterized JSON query object.

{
  "query": "SELECT * FROM p WHERE (NOT p.onSale) AND (p.price BETWEEN 0 AND @upperPriceLimit)",
  "parameters": [
    {
      "name": "@upperPriceLimit",
      "value": 100
    }
  ]
}

This next example sets the TOP argument with a parameterized query:

{
  "query": "SELECT TOP @pageSize * FROM products",
  "parameters": [
    {
      "name": "@pageSize",
      "value": 10
    }
  ]
}

Parameter values can be any valid JSON: strings, numbers, booleans, null, even arrays or nested JSON. Since Azure Cosmos DB for NoSQL is schemaless, parameters aren't validated against any type.

Here are examples for parameterized queries in each Azure Cosmos DB for NoSQL SDK: