[Info-vax] Any stronger versions of the LMF planned ?, was: Re: LMF Licence Generator Code
Lawrence D’Oliveiro
lawrencedo99 at gmail.com
Thu Aug 12 19:46:35 EDT 2021
On Thursday, August 12, 2021 at 7:15:02 PM UTC+12, Jan-Erik Söderholm wrote:
>
> Den 2021-08-12 kl. 08:58, skrev Lawrence D’Oliveiro:
>
>> But it turns out the best way to interface to a relational DBMS is to generate
>> SQL query strings.
>
> No, it is not. It is inefficient (since it needs to "compile" the
> SQL at each execution) and dynamical SQL statements are the source
> for "SQL injection" issues.
Ah, the mindless knee-jerk reaction yet again. No, the source of embedded-language issues is improper quoting of embedded parameter values. I see this a lot in PHP code that I am called upon to fix! All the good DBMS APIs I have come across offer a “format_sql_value()” function, or equivalent, to address precisely this problem.
More information about the Info-vax
mailing list