Interpolated strings and SQL
Walter Bright
newshound2 at digitalmars.com
Wed Jan 10 00:03:31 UTC 2024
On 1/9/2024 12:04 AM, Nickolay Bukreyev wrote:
> I’ve just realized DIP1036 has an excellent feature that is not evident right
> away. Look at the signature of `execi`:
>
> ```d
> auto execi(Args...)(Sqlite db, InterpolationHeader header, Args args,
> InterpolationFooter footer) { ... }
> ```
>
> `InterpolationHeader`/`InterpolationFooter` _require_ you to pass an istring.
> Consider this example:
>
> ```d
> db.execi(i"INSERT INTO items VALUES ($(x))".text);
> ```
>
> Here, we accidentally added `.text`. It would be an SQL injection… but the
> compiler rejects it! `typeof(i"...".text)` is `string`, and `execi` cannot be
> called with `(Sqlite, string)`.
The compiler will indeed reject it (The error message would be a bit baffling to
those who don't know what Interpolation types are), along with any attempt to
call execi() with a pre-constructed string.
The end result is that to do manipulation with istring tuples, the programmer is
alternately faced with adding Interpolation elements or filtering them out. Is
that really what we want? Will that impede the use of tuples generally, or just
impede the use of istrings?
---
P.S. most keyboarding bugs result from neglecting to add needed syntax, not
typing extra stuff. This is why:
int* p;
is initialized to zero, while:
int* p = void;
is left uninitialized. The user is unlikely to accidentally type "= void".
More information about the Digitalmars-d
mailing list