We are forking D
Bruce Carneal
bcarneal at gmail.com
Sun Jan 7 19:09:10 UTC 2024
On Sunday, 7 January 2024 at 09:04:16 UTC, Walter Bright wrote:
> On 1/6/2024 9:35 PM, H. S. Teoh wrote:
>> Noteworthy is the fact that the competing string interpolation
>> proposals
>> are *not* immune to this sort of SQL injection attack, because
>> premature
>> conversion of the i"" literal to string *would* result in a
>> successful
>> injection.
>
> The same technique of having a template take the generated
> tuple and modifying it as it sees fit works with DIP1027, too.
> I posted an example here in the last debate about this.
>
> ...
>
> It's true that in order for this to work,
>
> ```
> db.execi(i"INSERT INTO sample VALUES ($(id), $(name))");
> ```
> would need to be written as:
> ```
> db.execi(xxx!(i"INSERT INTO sample VALUES ($(id), $(name))"));
> ```
> where `xxx` is the thoroughly unimaginative name of the
...
So 1027 is equivalently good in this aspect as long as
programmers are conscientious in their definition and use of a
typing convention?
Unless 1036e is believed to be very difficult to implement
correctly, or has nasty cross dependencies that could cause
problems later, this would seem to be a bad trade (hypothetical?
simplification of implementation in exchange for making things
harder for users).
More information about the Digitalmars-d
mailing list