Interpolated strings and SQL
Nickolay Bukreyev
buknik95 at ya.ru
Tue Jan 9 08:04:11 UTC 2024
I’ve just realized DIP1036 has an excellent feature that is not
evident right away. Look at the signature of `execi`:
```d
auto execi(Args...)(Sqlite db, InterpolationHeader header, Args
args, InterpolationFooter footer) { ... }
```
`InterpolationHeader`/`InterpolationFooter` _require_ you to pass
an istring. Consider this example:
```d
db.execi(i"INSERT INTO items VALUES ($(x))".text);
```
Here, we accidentally added `.text`. It would be an SQL
injection… but the compiler rejects it! `typeof(i"...".text)` is
`string`, and `execi` cannot be called with `(Sqlite, string)`.
More information about the Digitalmars-d
mailing list