Interpolated strings and SQL
Timon Gehr
timon.gehr at gmx.ch
Tue Jan 9 23:21:32 UTC 2024
On 1/9/24 20:16, Walter Bright wrote:
> On 1/9/2024 4:35 AM, Timon Gehr wrote:
>> This does not work.
>
> How so?
It does not compile. The arg->args fix I'll grant you as it is a typo
whose only significance is to make it even more clear that you never
tried to run any version of the code, but then you still get another
compile error. I suggest you mock out the SQL library, you don't
actually need to install it to try your code.
If we remove the `enum` then your code still does not work correctly,
for example because it does not prevent an SQL injection attack if the
user constructs the SQL string manually by accidentally using `format`.
I and other people already pointed out this flaw and other flaws in
other posts.
> Consider this:
>
> ```
> import std.stdio;
>
> auto execi(Args...)(Args args)
> {
> auto fmt = args[0].dup;
> fmt[0] = 'k';
> writefln(fmt, args[1 .. args.length]);
> }
>
> void main()
> {
> string b = "betty";
> execi(i"hello $b");
> }
> ```
>
> which compiles and runs, printing:
>
> kello betty
I considered it and it did not have an impact on the way I view the
DIP1027 `execi` implementation you have given.
More information about the Digitalmars-d
mailing list