Feedback Thread: DIP 1036--String Interpolation Tuple Literals--Community Review Round 2
Steven Schveighoffer
schveiguy at gmail.com
Fri Jan 29 13:42:40 UTC 2021
On 1/29/21 3:28 AM, Walter Bright wrote:
> > provides a call that is free of sql injection attacks
>
> This is a strong claim that requires substantiation, especially since
> sql injection attacks are a critical problem.
It's trivially true. The mysql_query function can know that
interp!"SELECT * FROM" type cannot be from sql injection because the
string was known at compile time. All runtime parameters are identified
because they are NOT interp structs, and therefore can use the correct
mechanism (prepared statements) that does not suffer from sql injection
attacks.
-Steve
More information about the Digitalmars-d
mailing list