Re: Standard DBI Proposal

On Oct 28, 9:03 am, tpoin...@xxxxxxx (Tom Poindexter) wrote:
In article <1193568971.539347.229...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Donal K. Fellows <donal.k.fell...@xxxxxxxxx> wrote:



Darren New wrote:
It would be nice, but how do you handle code like
if ("" != $_GET['name'])
$sql .= "WHERE name like '" . esc($_GET['name']) . "%' AND ";
(Yes, it's PHP. Deal. :-)

I often do this sort of thing with a dozen different form fields,
building up a query clause by clause. If I had only prepared statements,
would I need 2^N statements?

No, since the interface layer should be hiding all that stuff from
you, and you'd just be writing:

if {$GET(name) ne ""} {
# I can't remember right now if SQLite handles array vars
set paramName $GET(name)
append sql {WHERE name LIKE '$paramName%' AND }
}

Yes, this is the SQLite approach. It gets it *right*.

I just hope that implementors of such an interface will first
brush up on SQL Injection attacks, as the above code
demostrates.

Good point, I didn't notice the lack of quoting. I'm not sure how this
is an example of an interface, maybe there is some magic going on
behind the scenes which isn't shown.

Regardless of any magic, parameter checking shouldn't be handled in
every page a parameter is used. It works great for a one programmer
system, but as soon as someone new shows up and starts to add new
queries, they have to figure out how to validate and quote parameters
by looking at example code. Maybe they will do it, maybe they will
think they are doing it correctly, who knows. But...what happens when
you discover two months into a project that a title field needs to be
512 chars long, not 128? Now you need to hunt down and change every
use of that field and update the validation (and you are doing
validation, including length checking, prior to insert, right?) Well,
I wouldn't be surprised if someone skipped it, for now, until time is
available, and that is the exact point. Time isn't available, so why
waste it doing the same thing over and over again, when you could
specify once, in one place, the parameter names, types, default
values, etc.?


.

Relevant Pages

  • Re: Standard DBI Proposal
    ... I often do this sort of thing with a dozen different form fields, building up a query clause by clause. ... If I had only prepared statements, ...
    (comp.lang.tcl)
  • Re: Standard DBI Proposal
    ... I often do this sort of thing with a dozen different form fields, ... building up a query clause by clause. ... If I had only prepared statements, ... this is the SQLite approach. ...
    (comp.lang.tcl)