The state of string interpolation
Steven Schveighoffer
schveiguy at gmail.com
Mon Dec 10 14:48:29 UTC 2018
On 12/10/18 8:48 AM, Olivier FAURE wrote:
> On Thursday, 6 December 2018 at 16:19:12 UTC, Steven Schveighoffer wrote:
>> With the concept of lowering to a tuple, I'd love to use such a thing
>> for database queries.
>>
>> For instance:
>>
>> db.exec("UPDATE Foo SET a = ?, b = ?, c = ?, d = ? WHERE id = ?",
>> aval, bval, cval, dval, id);
>>
>> vs.
>>
>> db.exec(i"UPDATE Foo SET a = $aval, b = $bval, c = $cval, d = $dval
>> WHERE id = $id");
>
> I really like that, but I'd add a caveat: this syntax makes it harder
> for db.exec to know which arguments you give it are trusted compile-time
> inputs, and which arguments are unsafe runtime inputs.
Yes, if you read down into this thread, Neia brought up the same issue.
The answer is -- pass them at compile time. I.e.:
db.exec!(i"UPDATE ...");
Now you have access to what are string literals and what are parameters.
You can even build the query string at compile time if using a library
that requires it all as one string.
-Steve
More information about the Digitalmars-d
mailing list