top | item 35013646

(no title)

nezirus | 3 years ago

That database stuff looks horrible. Why do they feel the need to introduce DB query templating into string templates? No matter what you do on the client side, the database engine itself should escape/validate the data. Didn't we learn that lesson with PHP?

In addition to that, not every database needs prepared statements for safe queries e.g. "Parametrized queries" in PostgreSQL (available in libpq as PQExecParams and exposed in many other higher level languages)

discuss

bcrosby95|3 years ago

The database stuff looks like an example, and shows how you could extend the template system in a way that doesn't introduce security problems.

nezirus|3 years ago

That is exactly the point, you should not use general string templating system for SQL queries, together with "roll your own" escape and validation mechanisms. I really don't see why they included that part, if not to show how to shoot yourself in the foot.

imtringued|3 years ago

>No matter what you do on the client side, the database engine itself should escape/validate the data. Didn't we learn that lesson with PHP?

You apparently didn't learn any lesson from PHP. The impossibility of the database engine to distinguish a code from a data character is what lead to SQL injections in the first place.

It doesn't matter whether you replace the template expression with a ? or with $1. The database receives the parameters outside the SQL query and treats them as user input either way.

hibbelig|3 years ago

You have to escape the things before they reach the database engine. Prepared statements do this via ? Placeholders but they are hard to read. With this you get named placeholders, much nicer to read.