Interpolated strings and SQL
Timon Gehr
timon.gehr at gmx.ch
Tue Jan 9 23:02:56 UTC 2024
On 1/9/24 23:30, Steven Schveighoffer wrote:
>
> And BTW, this is valid SQL:
>
> ```sql
> SELECT * FROM someTable WHERE fieldN LIKE '%something%'
> ```
>
> Which means, the poor user needs to escape `%` in a way completely
> unrelated to the sql language *or* the istring specification, something
> that IDIP doesn't require.
I had typed up a similar point in my post, but then thought that most
likely DIP1027 does the escaping automatically and dropped the line of
inquiry. But actually checking it now, it indeed does not seem to do
anything to prevent such hijacking.
https://github.com/dlang/DIPs/blob/master/DIPs/rejected/DIP1027.md
https://github.com/dlang/dmd/compare/master...WalterBright:dmd:dip1027#diff-a556a8e6917dd4042f541bdb19673f96940149ec3d416b0156af4d0e4cc5e4bdR16347-R16452
Having the SQL library arbitrarily interpret a substring `%s` in your
SQL query as a placeholder seems like unnecessary pain, and it also
renders moot the idea that DIP1027 code is able to detect mismatches.
More information about the Digitalmars-d
mailing list