yet another string interp dip, simple edition
novice2
sorry at no.ema.ail
Thu Jan 25 16:37:07 UTC 2024
I dont understand, why string interpolation related to sql
injection at D forums.
IMHO, this is parallel things.
SQL injection problem should be (IMHO) solved by using "prepare
statement" phase.
Programmer call sql.prepare().
DB driver make one call to DB server to send query with
placeholders.
DB server prepare query to execute.
Then programmer call sql.bind_parameters() or
sql.execute_with_parameters().
DB driver make another, separated call to DB server with
parameters values and its types.
If parameter contains injection - it will not works.
Server not concatenate parameter with query.
Prepares query on DB server can be as parsed AST tree, not query
string.
IMHO, string interpolation should no be used for DB code.
More information about the Digitalmars-d
mailing list