Re: Standard DBI Proposal

Sean Woods wrote:
So at the risk of another long post, here's a quick draft of the "Sql
dialect" functions I've developed for my own systems:
[...]
sqlprep value -
Escape and quote a value in the manner the database engine
likes best. (i.e. foo -> 'foo')
sqlfix data -
Escape a string the way the database engine expects
[...]

Hold it right there, buster! I see PHP-style magic quoting! No! It's so
thoroughly misunderstood that it can only be viewed as an invitation to
SQL-injection attacks. (See http://xkcd.com/327/ for why this matters.)

My proposal was simpler in many ways, in that it *requires* that people
support (at the user Tcl script level if nowhere else) SQL prepared
statements with embedded references to Tcl variables. Internally, if the
DB engine is so broken that it doesn't do prepared statements, then the
DBI has to do the magic quotes stuff. But it hides what it is doing from
the script level.

I want to make databases easy to use. If that means it's a bit harder to
write the interface, so be it.

Donal.
.

Relevant Pages

  • Re: Standard DBI Proposal
    ... Escape and quote a value in the manner the database engine ... DB engine is so broken that it doesn't do prepared statements, ...
    (comp.lang.tcl)
  • Re: Standard DBI Proposal
    ... Escape and quote a value in the manner the database engine ... DB engine is so broken that it doesn't do prepared statements, ...
    (comp.lang.tcl)