sqlite support added to sqlbuilder
Steven Schveighoffer
schveiguy at gmail.com
Thu Jan 4 18:43:30 UTC 2024
On Thursday, 4 January 2024 at 18:03:56 UTC, Leonardo wrote:
> On Saturday, 30 December 2023 at 22:11:55 UTC, Steven
> Schveighoffer wrote:
>> auto andrei = db.fetchOne(select(ads).where(ads.firstname,
>> " = 'Andrei'"));
>
> How SQL injection are avoided here?
SQL injection is avoided by passing parameter data. You use the
`param` wrapper.
So if you had unqualified user input, it would be:
```d
string personname = getFromUser();
auto author = db.fetchOne(select(ads).where(ads.firstname, " = ",
personname.param);
```
For everything except strings, it is a static error to pass them
in without the `.param` wrapper. For strings, I can't help it,
there is no mechanism to find out whether you are writing SQL or
giving me a parameter.
This should be fixable if interpolation ever happens (and I can
get rid of the requirement for `.param`).
-Steve
More information about the Digitalmars-d-announce
mailing list