(no title)
x1 | 13 years ago
...oh wait, right before it is sent to mysql it is turned back into a string again.
My point is that static typing doesn't help you do anything other than verify that the objects being passed are of a particular type. I'm not saying static typing is bad or good I'm just saying that type checking itself is NEARLY USELESS unless you include some sort of validation.
Query q = new Query("select * from users where id = (id)");
QueryParam qp = new QueryParam("(id)",25);
q.addParam(qp);
ResultSet rs = q.execute();
public class Query {
public ResultSet execute() {
for(QueryParam qp : this.getQueryParams()) {
this.getSql().replace(qp.getId(),qp.getValue());
}
super.execute(sql);
}
}
zopa|13 years ago
But if you write a secure version, you only have to write it once. You only have to maintain it in one place. You only need to test it in one place. And if you forget to use your secure Query type, anywhere else in your code, the compiler will yell at you. It's a significant advantage.
This is easier to see in a language with a rich, flexible and expressive type system than it is in Java. The writer of the original article used Haskell for a reason.
x1|13 years ago
> You only have to maintain it in one place.
> You only need to test it in one place.
Again, so this cannot be done in a dynamic language? If it can be done, why bring them up?
> And if you forget to use your secure Query type, anywhere else in your code, the compiler will yell at you. It's a significant advantage.
The only thing the compiler will yell at you is if you passed a type that is not of a Query type. The compiler will not yell at you for getting the current session directly or creating your own jdbc driver for that matter.
gaius|13 years ago