top | item 42825088

(no title)

I mean, in C++ (17? 20? Whenever constexpr was introduced) it's totally possible to create a library that allows you to build a SQL query via the language's string concatenation libraries/etc., but only allows you to do it with static strings unless you use ~shenanigans. (C++ unfortunately always allows ~shenanigans...)

I guess you do wind up needing to potentially re-implement some basic things (or I guess more complex, if you want format string support too). But for basic string concatenation & interpolation, it's reasonable.

That's a pretty useful way to get basic string concatenation while also preventing it from creating opportunities for SQL injection.

For example, you have a class that requires a constexpr input & can be appended to/concatenated/etc.:

SqlStringPart(constexpr ...)

operator+(SqlStringPart ...)

(so on)

And you have a Query API that only takes SQL string expressions that are built out of compile time constants + parameters:

SqlQuery(SqlStringPart ..., Parameters ...);

This doesn't solve the problem mentioned in the article around pagination & memory usage, but at least it avoids letting someone run arbitrary SQL on your database.

discuss

No comments yet.