The state of string interpolation

Steven Schveighoffer schveiguy at
Mon Dec 10 14:48:29 UTC 2018

On 12/10/18 8:48 AM, Olivier FAURE wrote:
> On Thursday, 6 December 2018 at 16:19:12 UTC, Steven Schveighoffer wrote:
>> With the concept of lowering to a tuple, I'd love to use such a thing 
>> for database queries.
>> For instance:
>> db.exec("UPDATE Foo SET a = ?, b = ?, c = ?, d = ? WHERE id = ?", 
>> aval, bval, cval, dval, id);
>> vs.
>> db.exec(i"UPDATE Foo SET a = $aval, b = $bval, c = $cval, d = $dval 
>> WHERE id = $id");
> I really like that, but I'd add a caveat: this syntax makes it harder 
> for db.exec to know which arguments you give it are trusted compile-time 
> inputs, and which arguments are unsafe runtime inputs.

Yes, if you read down into this thread, Neia brought up the same issue.

The answer is -- pass them at compile time. I.e.:

db.exec!(i"UPDATE ...");

Now you have access to what are string literals and what are parameters. 
You can even build the query string at compile time if using a library 
that requires it all as one string.


More information about the Digitalmars-d mailing list