lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Good question.

Personally, I find that string formatting and concatenation can be tedious and error prone. Also, it makes a big mess of my code, even for simple queries. In my experience, programming errors are much easier to spot and fix when using query parameters.

One of the main argument given for using query parameters is to prevent SQL injection attacks. For example:

string.format("SELECT * FROM t WHERE a = %s", mystring)

Wouldn't it be nice if some malicious person where to substitute the following for 'mystring':

mystring = "'aaa'; DELETE FROM t;"

With query parameters, this kind of attack is easily preventable.

Mike



Tomas Guisasola Gorham wrote:
	Hi Michael

My original library was actually a layer of Lua sitting on top of LuaSQL. However, I did have to patch LuaSQL to make it support sending query parameters separately from the query string.
	But why you need to use query parameters?  Don't you solve that
in Lua with `string.format' or something like that?

	Regards,
		Tomás