[Info-vax] Teaching, was: Re: Any stronger versions of the LMF planned ?
Arne Vajhøj
arne at vajhoej.dk
Thu Aug 12 20:47:26 EDT 2021
On 8/12/2021 7:40 PM, Lawrence D’Oliveiro wrote:
> On Friday, August 13, 2021 at 12:15:25 AM UTC+12, Simon Clubley
> wrote:
>> You need to learn the SQL syntax and how to apply it to
>> applications but you should be using a parameter based API to
>> actually build the SQL query.
>
> There seems to be a lot of fear and loathing around the simple
> concept of properly escaping parameter values in SQL and other
> embedded languages, isn’t there?
Yes.
Experience has shown that escaping parameter values frequently goes
wrong.
Prepared statement / parameters is the right solution.
> This stuff isn’t so hard--they’re
> all just regular grammars, after all.
It can get very messy with Unicode and different character sets
in play.
> All the decent DBMS APIs offer a “format_sql_value()” function or
> equivalent anyway.
No.
Decent database API's provide support for prepared statement /
parameters.
Some may provide a function like the one you describe, but usage
of it is a serious code smell.
> But this is getting away from the point, that COBOL’s supposed
> “business” orientation actually built-in a massive blind spot to what
> was actually emerging as business needs.
COBOL embedded SQL to relational databases works fine.
Arne
More information about the Info-vax
mailing list