enum Format
Timon Gehr
timon.gehr at gmx.ch
Fri Jan 12 15:03:22 UTC 2024
On 1/12/24 06:28, Walter Bright wrote:
> On 1/11/2024 11:50 AM, Timon Gehr wrote:
>> On 1/11/24 03:21, Walter Bright wrote:
>>> As for it being a required feature of string interpolation to do this
>>> processing at compile time, that's a nice feature, not a must have.
>>
>> As far as I am concerned it is a must-have. For example, this is what
>> prevents the SQL injection attack, it's a safety guarantee.
>
> Why does compile time make it a guarantee and runtime not?
> ...
Because a SQL injection attack by definition is when a third party can
control safety-critical parts of your SQL query at runtime.
The very fact that the whole prepared SQL query is known at
compile-time, with runtime data only entering through the placeholders,
conclusively rules this out. If the SQL query is constructed at runtime
based on runtime data, `execi` is unable to check whether an SQL
injection vulnerability is present.
> We do array bounds checking at runtime.
You can check array bounds at runtime. You cannot check where a
runtime-known string came from at runtime. It's simply not possible.
More information about the Digitalmars-d
mailing list