The state of string interpolation
Steven Schveighoffer
schveiguy at gmail.com
Thu Dec 6 18:16:26 UTC 2018
On 12/6/18 12:47 PM, Andre Pany wrote:
> On Thursday, 6 December 2018 at 16:19:12 UTC, Steven Schveighoffer wrote:
>> For instance:
>>
>> db.exec("UPDATE Foo SET a = ?, b = ?, c = ?, d = ? WHERE id = ?",
>> aval, bval, cval, dval, id);
>>
>> vs.
>>
>> db.exec(i"UPDATE Foo SET a = $aval, b = $bval, c = $cval, d = $dval
>> WHERE id = $id");
>>
> Does I understand your sql example right, although it looks like it is
> prone for sql injection attacks, it isn't because you evaluate the
> tuples and not use the string as whole?
Yes, that's exactly right, the whole thing gets lowered into:
db.exec("UPDATE Foo SET a = ", aval, ", b = ", bval, ", c = ", cval, ",
d = ", dval", " WHERE id = ", id);
The one thing that this requires, in order to not allocate a string to
pass to the SQL engine, is direct protocol access, such as we have in
mysql-native.
There are other possibilities too. For instance, it's possible we could
somehow pass the strings for compile time, so the real SQL string is
generated internally. But I don't know how that would look. Perhaps, you
just pass the query string at compile time, and deal with the tuple to
generate the string.
-Steve
More information about the Digitalmars-d
mailing list