We are forking D
H. S. Teoh
hsteoh at qfbox.info
Sun Jan 7 05:35:53 UTC 2024
On Sat, Jan 06, 2024 at 01:53:18PM +0000, matheus via Digitalmars-d wrote:
> On Friday, 5 January 2024 at 19:21:36 UTC, H. S. Teoh wrote:
> > ...
> > DIP1036 is already merged and working. E.g., the following works today:
> > ...
>
> Already!? - I need to check this but I couldn't find any nightly build
> (The currently Readme points to original Dlang), so I think I will
> need to build myself?
[...]
Thought I'd showcase what the string interpolation tuple DIP can do,
which currently compiles with the forked compiler and behaves as
advertised:
````
// Taken from Adam's interpolation-examples repo
// (https://github.com/adamdruppe/interpolation-examples)
module demo.sql;
import arsd.sqlite;
import lib.sql;
import std.stdio;
void main() {
auto db = new Sqlite(":memory:");
db.query("CREATE TABLE sample (id INTEGER, name TEXT)");
// you might think this is sql injection... but it isn't! the lib
// uses the rich metadata provided by the interpolated sequence to
// use prepared statements appropriate for the db engine under the hood
int id = 1;
string name = "' DROP TABLE', '";
db.execi(i"INSERT INTO sample VALUES ($(id), $(name))");
foreach(row; db.query("SELECT * from sample"))
writeln(row[0], ": ", row[1]);
}
````
This compiles with the forked compiler today, and correctly handles the
dangerous string `name` that imitates a SQL injection attack. Thanks to
the compile-time information provided by the interpolation tuple, the
backend code is able to understand that the contents of `name` is string
data to be bound to a SQL placeholder rather than copied verbatim into a
SQL query string (which would have allowed the SQL injection attack to
work), so it is able to safely store the data as a harmless string
inside the database.
Output (note that the string "' DROP TABLE', '" is stored as a string,
and the attempted SQL injection did not work):
----------------
1: ' DROP TABLE', '
----------------
Noteworthy is the fact that the competing string interpolation proposals
are *not* immune to this sort of SQL injection attack, because premature
conversion of the i"" literal to string *would* result in a successful
injection.
My personal hope is that the string interpolation tuple DIP would go
through in the official version of D and we would all benefit from it,
rather than have the current stalemate continue for another who knows
how many years.
T
--
Unix was not designed to stop people from doing stupid things, because that would also stop them from doing clever things. -- Doug Gwyn
More information about the Digitalmars-d
mailing list