[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Simple PostgreSQL client library
- From: Michael Broughton <mbobowik@...>
- Date: Mon, 02 Apr 2007 11:54:15 -0600
Personally, I find that string formatting and concatenation can be
tedious and error prone. Also, it makes a big mess of my code, even for
simple queries. In my experience, programming errors are much easier to
spot and fix when using query parameters.
One of the main argument given for using query parameters is to prevent
SQL injection attacks. For example:
string.format("SELECT * FROM t WHERE a = %s", mystring)
Wouldn't it be nice if some malicious person where to substitute the
following for 'mystring':
mystring = "'aaa'; DELETE FROM t;"
With query parameters, this kind of attack is easily preventable.
Tomas Guisasola Gorham wrote:
My original library was actually a layer of Lua sitting on top of
LuaSQL. However, I did have to patch LuaSQL to make it support sending
query parameters separately from the query string.
But why you need to use query parameters? Don't you solve that
in Lua with `string.format' or something like that?