Interpolated strings and SQL
Walter Bright
newshound2 at digitalmars.com
Tue Jan 9 20:01:34 UTC 2024
On 1/9/2024 4:35 AM, Timon Gehr wrote:
> However, let's for the sake
> of argument assume that, miraculously, `execi` can read the format string at
> compile time, then:
Adam's implementation of execi() also runs at run time, not compile time.
> - With this signature, if you pass a manually-constructed string to it, it would
> just accept the SQL injection.
It was just a proof of concept piece of code. execi could check for format
strings that contain ?n sequences. It could also check the number of %s formats
against the number of arguments.
> But you get a useful error message that exactly pinpoints what the problem is.
> Also, they could be supported, which is the point.
> - It does not give a proper error message for nested istrings.
execi could be extended to reject arguments that contain %s sequences. Or, if
there was an embedded istring, the number of %s formats can be checked against
the number of arguments. An embedded istring would show a mismatch.
I expect that use of nested istrings would be exceedingly rare. If they are
used, wrapping them in text() will make work. Besides, would a nested istring in
an sql call be intended as part of the sql format, or would a text string be the
intended result?
> - It has to manually parse the format string. It iterates over each character of
> the original format string.
Correct. And it does not need to iterate over and remove all the Interpolation
arguments. Nor does it need the extra two arguments, which aren't free of cost.
> - It (ironically!) constructs a new format string, the original one was useless.
Yes, it converts the format specifiers to the sql ones. Why is this a problem?
> - If you pass a bad format string to it (for example, by specifying a manual
> format), it will just do nonsense, while DIP1036e avoids bad format strings by
> construction.
What happens when ?3 is included in a DIP1036 istring? `i"string ?3 ($betty)" ?
I didn't see any check for that. Of course, one could add such a check to the
1036 execi.
printf format strings are checked by the compiler, and writef format strings are
checked by writef. execi is also capable of being extended to check the format
string to ensure the format matches the args.
More information about the Digitalmars-d
mailing list