Feedback Thread: DIP 1036--String Interpolation Tuple Literals--Community Review Round 2

Steven Schveighoffer schveiguy at
Fri Jan 29 13:42:40 UTC 2021

On 1/29/21 3:28 AM, Walter Bright wrote:
>  > provides a call that is free of sql injection attacks
> This is a strong claim that requires substantiation, especially since 
> sql injection attacks are a critical problem.

It's trivially true. The mysql_query function can know that 
interp!"SELECT * FROM" type cannot be from sql injection because the 
string was known at compile time. All runtime parameters are identified 
because they are NOT interp structs, and therefore can use the correct 
mechanism (prepared statements) that does not suffer from sql injection 


More information about the Digitalmars-d mailing list