arangodb/Documentation/Books/AQL/Fundamentals/BindParameters.mdpp

!CHAPTER Bind parameters

AQL supports the usage of bind parameters, thus allowing to separate the query
text from literal values used in the query. It is good practice to separate the
query text from the literal values because this will prevent (malicious)
injection of keywords and other collection names into an existing query. This
injection would be dangerous because it may change the meaning of an existing
query.

Using bind parameters, the meaning of an existing query cannot be changed. Bind
parameters can be used everywhere in a query where literals can be used.

The syntax for bind parameters is *@name* where *name* is the
actual parameter name. The bind parameter values need to be passed along with
the query when it is executed, but not as part of the query text itself.

    FOR u IN users
      FILTER u.id == @id && u.name == @name
      RETURN u

Bind parameter names must start with any of the letters *a* to *z* (both in
lower and upper case) or a digit (*0* to *9*), and can be followed by any
letter, digit or the underscore symbol.

Bind variables represent a value like a string, and must not be put in quotes.
If you need to do string processing (concatenation, etc.) in the AQL query, you need
[to use string functions to do so](../Functions/String.md):

    FOR u IN users
      FILTER u.id == CONCAT('prefix', @id, 'suffix') && u.name == @name
      RETURN u


A special type of bind parameter exists for injecting collection names. This
type of bind parameter has a name prefixed with an additional *@* symbol (thus
when using the bind parameter in a query, two *@* symbols must be used).

    FOR u IN @@collection
      FILTER u.active == true
      RETURN u


Specific information about parameters binding can also be found in
[Aql With Web Interface](../Invocation/WithWebInterface.md) and
[Aql With Arangosh](../Invocation/WithArangosh.md), and
[HTTP Interface for AQL Queries](../../HTTP/AqlQuery/index.html)