I thought I had finally devised a good method to dynamically construct SQL queries in , but it turns out I can make a horrible mess of everything.

@ayo I have a theory that the only #SQL that can appear in a client application is "call proc_name (arguments);", if the server is properly configured to accept only these, SQL injection is no longer an issue.

@amiloradovsky SQL injection isn't the problem, though - the code in the screenshot is safe from that. The problem is overly dynamic queries with filters and sorting depending on user input. And this is actually a simple example...

@ayo Oh, I wasn't criticizing the code in the screenshot per se. But sure the more complex the composed query is, the harder it is to ensure it's safety.

Follow

@amiloradovsky That is certainly true. Integrating SQL into the host language type system (if it has a static one, i.e. not Perl) really helps with that, but tends to heavily complicate and limit the flexibility of queries.

@ayo But all the flexibility should only be used on the server anyway.

Sign in to participate in the conversation
niu.moe

We are a cute and loving international community O(≧▽≦)O !