DB stored functions and prepared statements - ODB 2.1.2

[Mihai Ocneanu]

Hello,

I wrote a function with 2 input parameters that tries to run this query:

var db = orient.getGraph();
b = db.command("sql","select expand(sp) from (select shortestPath(?, ? , 'OUT') as sp)",[itemId, vertexId]);

When running the function, I get this error:

Error on parsing script at position #0: Error on execution of the script\nScript: getBreadcrumb\n------^\nsun.org.mozilla.javascript.internal.WrappedException: Wrapped com.orientechnologies.orient.core.exception.OCommandExecutionException: Error on execution of command: sql.select expand(sp) from (select shortestPath(#21:29, ? , 'OUT') as sp) (<Unknown source>#68) in <Unknown source> at line number 68\nWrapped com.orientechnologies.orient.core.exception.OCommandExecutionException: Error on execution of command: sql.select expand(sp) from (select shortestPath(#21:29, ? , 'OUT') as sp) (<Unknown source>#68)\nError on execution of command: sql.select expand(sp) from (select shortestPath(#21:29, ? , 'OUT') as sp)\nVertex id can not be null"

It works if I hack it by doing this:
b = db.command("sql"," select expand(sp) from (select shortestPath("+itemId+", "+vertexId+" , 'OUT') as sp) ");

but I don't want the potential security risk, and I also think prepared statements should work anyway, right?

BTW, this query works inside the exact same function:
var b = db.command("sql","select from V_MyVertex where in('E_One').out('E_Two').@rid contains ?", [itemId]);

Thanks,
Mihai