[OT] C# can do all the interpolated strings now

kdevel kdevel at vogtner.de
Thu Dec 9 14:33:12 UTC 2021 

On Wednesday, 8 December 2021 at 22:10:32 UTC, Steven 
Schveighoffer wrote:
> On 12/8/21 4:31 PM, kdevel wrote:
[...]

>> How is the proper separation of code (query) and data achieved 
>> in this case?
>
> Because the `sqlExec` function figures it out based on the 
> interpolation header. It can tell which parts were literal 
> strings, and which parts were interpolation parameters.

So the string interpolation is used to emulate something like 
embedded SQL (ESQL) with the exception that the (SQL) code is 
quoted. ESQL looks like this [1]:

```
    EXEC SQL INSERT INTO tablename VALUES (:variablename);
```

This is clearly favorable over embedded question marks plus 
argument lists.

> The interpolation parameters are replaced with "?", and then 
> the parameters are passed as data (to avoid SQL injection as 
> expected).

I missed that part.

[...]

> e.g. (from a real line of code in my codebase):
>
> ```d
> conn.exec("UPDATE organization SET loc_lat = ?, loc_lon = ? 
> WHERE id = ?", loc_latitude, loc_longitude, id);
>
> // compare to:
> conn.exec(i"UPDATE organization SET loc_lat = $loc_latitude, 
> loc_lon = $loc_longitude WHERE id = $id");
> ```

Final questions: What happens if the "i" in front of the string 
is accidentally lost? Compile-time oder runtime error?

How does the compiler/runtime know which type of interpolation to 
choose? I mean if you have

```
    conn.exec (i"UPDATE organization SET loc_lat = $loc_latitude...
    html.output (i"<input value=\"$value\" ...
```

how and where is decided to use the SQL interpolation in the 
first and the HTML escaping in the second line?

What is the return type of the interpolation?

Stefan

[1] https://en.wikipedia.org/wiki/ECPG#Using_host_variables

PS: The following code snippet is from the YAIDIP document:

```
    executeShell("wget " ~ url ~ " -O" ~ file ~ ".frag && mv " ~ 
file ~ ".frag " ~ file);
```

That should not have been written in the first place. This code 
is prone to shell injection and the only shell-specific 
functionality is that of the "&&". Long story short: I would have 
written it that way:

```
    execute(["wget", url, "-O", file ~ ".frag"]).status == 0
    &&
    execute(["mv", file ~ ".frag ", file]);
```

More information about the Digitalmars-d mailing list