yet another string interp dip, simple edition
cc
cc at nevernet.com
Fri Jan 19 10:07:38 UTC 2024
On Thursday, 18 January 2024 at 23:05:03 UTC, Alexandru Ermicioi
wrote:
> On Thursday, 18 January 2024 at 20:30:43 UTC, cc wrote:
>>
>> If your programmer is using string interpolation for sensitive
>> sql queries, you fire the programmer.
>
> You will, but first, you'd get your company software breached,
> so perhaps it is best to not allow such things in first place
> (language).
Then it might be best not to allow any such practice of injecting
dynamic string data into a constructed string command that will
be fed into an interpreter that doesn't discriminate between
querying and manipulating data in the first place. To echo
another poster, *that's SQL's problem*.😉
Nothing wrong with saying "let's make this system a little
better", but how far is a language *really* obligated to go to
protect users from doing the same terrible thing they do in every
other language with a database interface known to have some of
the widest attack surfaces in history? Not a rhetorical
question: I can see some advantage to D being able to say "hey
look, our string interpolation is THIS good, you can do this with
it and not get screwed!", but I can also see it going too far and
creating a wasteland of "can't have nice things" because someone
somewhere will carry on the same old bad practices of shooting
themselves in both feet with it.
Just my irrelevant 2 cents, anyway. That ship has sailed, but
worth remembering for the next one to come into port, IMO.
More information about the Digitalmars-d
mailing list