pgsql-simple-0.1.2: A mid-level PostgreSQL client library.

MaintainerChris Done <>
Safe HaskellNone




A mid-level client library for the MySQL database, aimed at ease of use and high performance.


Writing queries

SQL-based applications are somewhat notorious for their susceptibility to attacks through the injection of maliciously crafted data. The primary reason for widespread vulnerability to SQL injections is that many applications are sloppy in handling user data when constructing SQL queries.

This library provides a Query type and a parameter substitution facility to address both ease of use and security.

The Query type

A Query is a newtype-wrapped ByteString. It intentionally exposes a tiny API that is not compatible with the ByteString API; this makes it difficult to construct queries from fragments of strings. The query and execute functions require queries to be of type Query.

To most easily construct a query, enable GHC's OverloadedStrings language extension and write your query as a normal literal string.

 {-# LANGUAGE OverloadedStrings #-}

 import Database.MySQL.Simple

 hello = do
   conn <- connect defaultConnectInfo
   query conn "select 2 + 2"

A Query value does not represent the actual query that will be executed, but is a template for constructing the final query.

Parameter substitution

Since applications need to be able to construct queries with parameters that change, this library provides a query substitution capability.

The Query template accepted by query and execute can contain any number of "?" characters. Both query and execute accept a third argument, typically a tuple. When constructing the real query to execute, these functions replace the first "?" in the template with the first element of the tuple, the second "?" with the second element, and so on. If necessary, each tuple element will be quoted and escaped prior to substitution; this defeats the single most common injection vector for malicious data.

For example, given the following Query template:

 select * from user where first_name = ? and age > ?

And a tuple of this form:

 ("Boris" :: String, 37 :: Int)

The query to be executed will look like this after substitution:

 select * from user where first_name = 'Boris' and age > 37

If there is a mismatch between the number of "?" characters in your template and the number of elements in your tuple, a FormatError will be thrown.

Note that the substitution functions do not attempt to parse or validate your query. It's up to you to write syntactically valid SQL, and to ensure that each "?" in your query template is matched with the right tuple element.

Type inference

Automated type inference means that you will often be able to avoid supplying explicit type signatures for the elements of a tuple. However, sometimes the compiler will not be able to infer your types. Consider a care where you write a numeric literal in a parameter tuple:

 query conn "select ? + ?" (40,2)

The above query will be rejected by the compiler, because it does not know the specific numeric types of the literals 40 and 2. This is easily fixed:

 query conn "select ? + ?" (40 :: Double, 2 :: Double)

The same kind of problem can arise with string literals if you have the OverloadedStrings language extension enabled. Again, just use an explicit type signature if this happens.

Substituting a single parameter

Haskell lacks a single-element tuple type, so if you have just one value you want substituted into a query, what should you do?

The obvious approach would appear to be something like this:

 instance (Param a) => QueryParam a where

Unfortunately, this wreaks havoc with type inference, so we take a different tack. To represent a single value val as a parameter, write a singleton list [val], use Just val, or use Only val.

Here's an example using a singleton list:

 execute conn "insert into users (first_name) values (?)"

Representing a list of values

Suppose you want to write a query using an IN clause:

 select * from users where first_name in ('Anna', 'Boris', 'Carla')

In such cases, it's common for both the elements and length of the list after the IN keyword to vary from query to query.

To address this case, use the In type wrapper, and use a single "?" character to represent the list. Omit the parentheses around the list; these will be added for you.

Here's an example:

 query conn "select * from users where first_name in ?" $
       In ["Anna", "Boris", "Carla"]

If your In-wrapped list is empty, the string "(null)" will be substituted instead, to ensure that your clause remains syntactically valid.

Modifying multiple rows at once

If you know that you have many rows of data to insert into a table, it is much more efficient to perform all the insertions in a single multi-row INSERT statement than individually.

The executeMany function is intended specifically for helping with multi-row INSERT and UPDATE statements. Its rules for query substitution are different than those for execute.

What executeMany searches for in your Query template is a single substring of the form:

 values (?,?,?)

The rules are as follows:

  • The keyword VALUES is matched case insensitively.
  • There must be no other "?" characters anywhere in your template.
  • There must one or more "?" in the parentheses.
  • Extra white space is fine.

The last argument to executeMany is a list of parameter tuples. These will be substituted into the query where the (?,?) string appears, in a form suitable for use in a multi-row INSERT or UPDATE.

Here is an example:

 executeMany conn
   "insert into users (first_name,last_name) values (?,?)"

The query that will be executed here will look like this (reformatted for tidiness):

 insert into users (first_name,last_name) values

Extracting results

The query and query_ functions return a list of values in the QueryResults typeclass. This class performs automatic extraction and type conversion of rows from a query result.

Here is a simple example of how to extract results:

 import qualified Data.Text as Text

 xs <- query_ conn "select name,age from users"
 forM_ xs $ \(name,age) ->
   putStrLn $ Text.unpack name ++ " is " ++ show (age :: Int)

Notice two important details about this code:

  • The number of columns we ask for in the query template must exactly match the number of elements we specify in a row of the result tuple. If they do not match, a ResultError exception will be thrown.
  • Sometimes, the compiler needs our help in specifying types. It can infer that name must be a Text, due to our use of the unpack function. However, we have to tell it the type of age, as it has no other information to determine the exact type.

Handling null values

The type of a result tuple will look something like this:

 (Text, Int, Int)

Although SQL can accommodate NULL as a value for any of these types, Haskell cannot. If your result contains columns that may be NULL, be sure that you use Maybe in those positions of of your tuple.

 (Text, Maybe Int, Int)

If query encounters a NULL in a row where the corresponding Haskell type is not Maybe, it will throw a ResultError exception.

Type conversions

Conversion of SQL values to Haskell values is somewhat permissive. Here are the rules.

  • For numeric types, any Haskell type that can accurately represent all values of the given MySQL type is considered "compatible". For instance, you can always extract a MySQL TINYINT column to a Haskell Int. The Haskell Float type can accurately represent MySQL integer types of size up to INT24, so it is considered compatble with those types.
  • A numeric compatibility check is based only on the type of a column, not on its values. For instance, a MySQL LONG_LONG column will be considered incompatible with a Haskell Int8, even if it contains the value 1.
  • If a numeric incompatibility is found, query will throw a ResultError.
  • The String and Text types are assumed to be encoded as UTF-8. If you use some other encoding, decoding may fail or give wrong results. In such cases, write a newtype wrapper and a custom Result instance to handle your encoding.


data Connection Source

A database connection.

data Query Source

A query string. This type is intended to make it difficult to construct a SQL query by concatenating string fragments, as that is an extremely common way to accidentally introduce SQL injection vulnerabilities into an application.

This type is an instance of IsString, so the easiest way to construct a query is to enable the OverloadedStrings language extension and then simply write the query in double quotes.

 {-# LANGUAGE OverloadedStrings #-}

 import Database.MySQL.Simple

 q :: Query
 q = "select ?"

The underlying type is a ByteString, and literal Haskell strings that contain Unicode characters will be correctly transformed to UTF-8.

newtype In a Source

Wrap a list of values for use in an IN clause. Replaces a single "?" character with a parenthesized list of rendered values.


 query c "select * from whatever where id in ?" (In [3,4,5])


In a 


Functor In 
Typeable1 In 
Eq a => Eq (In a) 
Ord a => Ord (In a) 
Read a => Read (In a) 
Show a => Show (In a) 
Param a => Param (In [a]) 

newtype Binary a Source

Wrap a mostly-binary string to be escaped in hexadecimal.


Binary a 

newtype Only a Source

A single-value "collection".

This is useful if you need to supply a single parameter to a SQL query, or extract a single column from a SQL result.

Parameter example:

query c "select x from scores where x > ?" (Only (42::Int))

Result example:

xs <- query_ c "select id from users"
forM_ xs $ \(Only id) -> {- ... -}




fromOnly :: a


Functor Only 
Typeable1 Only 
Eq a => Eq (Only a) 
Ord a => Ord (Only a) 
Read a => Read (Only a) 
Show a => Show (Only a) 
Param a => QueryParams (Only a) 
Result a => QueryResults (Only a) 

data ProcessedQuery r Source

A processed, appendable. query


data FormatError Source

Exception thrown if a Query could not be formatted correctly. This may occur if the number of '?' characters in the query string does not match the number of parameters provided.

data QueryError Source

Exception thrown if query is used to perform an INSERT-like operation, or execute is used to perform a SELECT-like operation.

data ResultError Source

Exception thrown if conversion from a SQL value to a Haskell value fails.

Connection management



:: MonadIO m 
=> ConnectInfo 
-> m Connection

The datase connection.

Connect with the given username to the given database. Will throw an exception if it cannot connect.

defaultConnectInfo :: ConnectInfoSource

Default information for setting up a connection.

Defaults are as follows:

  • Server on localhost
  • User postgres
  • No password
  • Database test
  • Character set utf8

Use as in the following example:

 connect defaultConnectInfo { connectHost = "" }



:: MonadIO m 
=> Connection

The connection.

-> m () 

Close a connection. Can safely be called any number of times.

Queries that return results

query :: (QueryParams q, QueryResults r) => Connection -> Query -> q -> IO [r]Source

Perform a SELECT or other SQL query that is expected to return results. All results are retrieved and converted before this function returns.

When processing large results, this function will consume a lot of client-side memory. Consider using fold instead.

Exceptions that may be thrown:

query_ :: QueryResults r => Connection -> Query -> IO [r]Source

A version of query that does not perform query substitution.

processQuery :: (QueryParams q, QueryResults r) => Query -> q -> IO (ProcessedQuery r)Source

Process a query for later use.

queryProcessed :: QueryResults r => Connection -> ProcessedQuery r -> IO [r]Source

A version of query that does not perform query substitution.

Queries that stream results

Statements that do not return results

execute :: QueryParams q => Connection -> Query -> q -> IO IntegerSource

Execute an INSERT, UPDATE, or other SQL query that is not expected to return results.

Returns the number of rows affected.

Throws FormatError if the query could not be formatted correctly.

execute_ :: Connection -> Query -> IO IntegerSource

A version of execute that does not perform query substitution.

executeMany :: QueryParams q => Connection -> Query -> [q] -> IO IntegerSource

Execute a multi-row INSERT, UPDATE, or other SQL query that is not expected to return results.

Returns the number of rows affected.

Throws FormatError if the query could not be formatted correctly.

Transaction handling

withTransaction :: Connection -> IO a -> IO aSource

Execute an action inside a SQL transaction.

This function initiates a transaction with a "begin transaction" statement, then executes the supplied action. If the action succeeds, the transaction will be completed with commit before this function returns.

If the action throws any kind of exception (not just a MySQL-related exception), the transaction will be rolled back using rollback, then the exception will be rethrown.

commit :: (MonadCatchIO m, MonadIO m) => Connection -> m ()Source

Commit a transaction.

rollback :: (MonadCatchIO m, MonadIO m) => Connection -> m ()Source

Rollback a transaction.

Helper functions

formatMany :: QueryParams q => Query -> [q] -> IO ByteStringSource

Format a query string with a variable number of rows.

This function is exposed to help with debugging and logging. Do not use it to prepare queries for execution.

The query string must contain exactly one substitution group, identified by the SQL keyword "VALUES" (case insensitive) followed by an "(" character, a series of one or more "?" characters separated by commas, and a ")" character. White space in a substitution group is permitted.

Throws FormatError if the query string could not be formatted correctly.

formatQuery :: QueryParams q => Query -> q -> IO ByteStringSource

Format a query string.



:: (MonadCatchIO m, MonadIO m) 
=> Pool

The connection pool.

-> (Connection -> m a)

Use the connection.

-> m () 

Use the connection pool.



:: MonadIO m 
=> ConnectInfo

Connect info.

-> m Pool 

Create a new connection pool.