I thought I had finally devised a good method to dynamically construct SQL queries in , but it turns out I can make a horrible mess of everything.

@ayo I have a theory that the only #SQL that can appear in a client application is "call proc_name (arguments);", if the server is properly configured to accept only these, SQL injection is no longer an issue.

@amiloradovsky SQL injection isn't the problem, though - the code in the screenshot is safe from that. The problem is overly dynamic queries with filters and sorting depending on user input. And this is actually a simple example...

@ayo Oh, I wasn't criticizing the code in the screenshot per se. But sure the more complex the composed query is, the harder it is to ensure it's safety.

Follow

@amiloradovsky That is certainly true. Integrating SQL into the host language type system (if it has a static one, i.e. not Perl) really helps with that, but tends to heavily complicate and limit the flexibility of queries.

@ayo But all the flexibility should only be used on the server anyway.

Sign in to participate in the conversation
niu.moe

Welcome to your niu world ! We are a cute and loving international community O(≧▽≦)O !
We are a moderated instance, that aren't supporting harassment nor hateful speech. But we aren't a "safe" space, we won't prevent you to interact with instances that aren't respecting our rules.
"Be conservative in what you send and liberal in what you receive." - Netiquette
The main language used here is English, but for most of us this isn't our main language, so it's a great place to learn!