Flow Studio
Parameterized Queries
How to bind workflow data to query parameters using the parameters map — expression-driven values, type handling, and the mandatory no-interpolation rule.
The Rule: No String Interpolation in SQL
Mandatory: Never embed
$output or $json values directly in the SQL string. Only @param placeholders are allowed. The executor validates the SQL at runtime and rejects queries with suspicious concatenation patterns.
Correct Pattern
// CORRECT — parameterized:
{
"sql": "SELECT * FROM invoices WHERE vendor_id = @vendorId AND status = @status",
"parameters": {
"vendorId": "$output.fetchVendor.entityId",
"status": "pending-approval"
}
}
// WRONG — string interpolation (blocked):
{
"sql": "SELECT * FROM invoices WHERE vendor_id = '$output.fetchVendor.entityId'"
}Expression-Evaluated Parameters
All values in the parameters map are expression-evaluated before being passed to the database driver as typed parameters. The driver handles quoting and escaping:
{
"parameters": {
"employeeId": "$context.actorId",
"minAmount": "$json.threshold ?? 1000",
"statusList": "$output.fetchConfig.allowedStatuses",
"cutoffDate": "$now.toISOString()",
"tenantRef": "$context.tenantId"
}
}Array Parameters (IN clause)
When a parameter value is a JavaScript array, the executor expands it into a multi-parameter IN clause automatically:
// Config:
{
"sql": "SELECT * FROM invoices WHERE status = ANY(@statuses)",
"parameters": {
"statuses": ["pending-approval", "under-review", "escalated"]
}
}
// Or from an expression:
{
"statuses": "$output.fetchConfig.activeStatuses"
}
Type coercion: The executor coerces JavaScript types to database types based on the column definition. Strings are passed as VARCHAR, numbers as NUMERIC or BIGINT, booleans as BOOLEAN, ISO date strings as TIMESTAMPTZ, and arrays as the appropriate array type for the database driver.