Query parameters declaration statement
Queries sent to Kusto may include a set of name or value pairs. The pairs are called query parameters, together with the query text itself. The query may reference one or more values, by specifying names and type, in a query parameters declaration statement.
Query parameters have two main uses:
- As a protection mechanism against injection attacks.
- As a way to parameterize queries.
In particular, client applications that combine user-provided input in queries that they then send to Kusto should use the mechanism to protect against the Kusto equivalent of SQL Injection attacks.
Declaring query parameters
To reference query parameters, the query text, or functions it uses, must first declare which query parameter it uses. For each parameter, the declaration provides the name and scalar type. Optionally, the parameter can also have a default value. The default is used if the request doesn’t provide a concrete value for the parameter. Kusto then parses the query parameter’s value, according to its normal parsing rules for that type.
Syntax
declare query_parameters ( Name1 : Type1 [= DefaultValue1] [,…] );
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| Name1 | string | ✔️ | The name of a query parameter used in the query. |
| Type1 | string | ✔️ | The corresponding type, such as string or datetime. The values provided by the user are encoded as strings. The appropriate parse method is applied to the query parameter to get a strongly typed value. |
| DefaultValue1 | string | A default value for the parameter. This value must be a literal of the appropriate scalar type. |
Example
The examples in this section show how to use the syntax to help you get started.
Declare query parameters
This query retrieves storm events from the StormEvents table where the total number of direct and indirect injuries exceeds a specified threshold (default is 90). It then projects the EpisodeId, EventType, and the total number of injuries for each of these events.
declare query_parameters(maxInjured:long = 90);
StormEvents
| where InjuriesDirect + InjuriesIndirect > maxInjured
| project EpisodeId, EventType, totalInjuries = InjuriesDirect + InjuriesIndirect
Output
| EpisodeId | EventType | totalInjuries |
|---|---|---|
| 12459 | Winter Weather | 137 |
| 10477 | Excessive Heat | 200 |
| 10391 | Heat | 187 |
| 10217 | Excessive Heat | 422 |
| 10217 | Excessive Heat | 519 |
Specify query parameters in a client application
The names and values of query parameters are provided as string values
by the application making the query. No name may repeat.
The interpretation of the values is done according to the query parameters declaration statement. Every value is parsed as if it were a literal in the body of a query. The parsing is done according to the type specified by the query parameters declaration statement.
REST API
Query parameters are provided by client applications through the properties
slot of the request body’s JSON object, in a nested property bag called
Parameters. For example, here’s the body of a REST API call to Kusto
that calculates the age of some user, presumably by having the application
ask for the user’s birthday.
{
"ns": null,
"db": "myDB",
"csl": "declare query_parameters(birthday:datetime); print strcat(\"Your age is: \", tostring(now() - birthday))",
"properties": "{\"Options\":{},\"Parameters\":{\"birthday\":\"datetime(1970-05-11)\",\"courses\":\"dynamic(['Java', 'C++'])\"}}"
}
Kusto SDKs
To learn how to provide the names and values of query parameters when using Kusto client libraries, see Use query parameters to protect user input.
Kusto.Explorer
To set the query parameters sent when making a request to the service,
use the Query parameters “wrench” icon (ALT + P).
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.