- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 17 Oct 2007 21:37:57 +0000 (UTC)
On Wed, 17 Oct 2007, Scott Hess wrote:
>
> Honestly, something like quote() is not necessary. It's just that
> constructing SQL statements via concatenation is a hole I often see
> people falling into. Having quote() allows you to construct safer SQL
> statements, but people who construct statements directly rather than
> constructing a parallel statement and arg array may be beyond saving.
>
> Other cases I've seen where quote() could be used are dynamic
> construction of WHERE clauses, something like:
>
> var sql = "SELECT rowid FROM t WHERE name = ?"
> if (color) {
> sql += " AND color = " + color;
> }
> ...
>
> and comparable constructs for INSERT and UPDATE. As mentioned, these
> can generally be handled by constructing the statement with bind
> parameters in parallel to the arg array. Depending on control flow,
> this can be pretty annoying, but my experience with this is mostly in
> C/C++, where it's much more annoying to change the types of things.
Yeah. I think having quote() might do as much damage by encouraging people
to write codepaths that need it as it might help by having people writing
those codepaths anyway be saved (if, that is, they know to be saved).
What would be cool is if we could detect, through tainting, the bad
codepaths. But I see no way to do that here.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 October 2007 14:37:57 UTC