Tuples, CTFE, and Sliding Template Arguments
Adam Wilson
flyboynw at gmail.com
Sat Jan 13 07:03:14 UTC 2024
On Saturday, 13 January 2024 at 06:27:51 UTC, Walter Bright wrote:
>
> Escaping % is not hard to do. It's ordinary.
>
I don't see people arguing that escaping is *difficult* to do.
It's not. What *is* difficult is remembering to do it perfectly,
every time, and accidentally building a silent injection attack
when you (inevitably) fail. Especially since the attack vector is
not detectable to linting tools. All systems with a special
format-specifier are unsafe for use with SQL. Period.
Think of it this way: You have the option to install a fail-safe
critical system in your jet, and everybody is telling you do it,
but you're saying "Nah fam, it'll be fine. The odds are so low
that a human will screw up this one manual step and this design
will burn 0.1% less fuel and costs 10% less." *cough*MCAS*cough*.
Actually, MCAS is a pretty fair analogy here. The system mostly
works as designed, except for the one button that if you don't
push it when things go bad, brings down two airframes. That's how
big a deal SQL injections are.
Don't be 2010's Boeing, be 1970s Boeing. Please build an
indestructible 757.
Note that Java considered and rejected your premise in their
version of this feature, with their reasoning laid out in the
[spec-document](https://openjdk.org/jeps/430).
More information about the Digitalmars-d
mailing list