Re: Simple PostgreSQL client library

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Simple PostgreSQL client library
From: Michael Broughton <mbobowik@...>
Date: Mon, 02 Apr 2007 11:54:15 -0600

Good question.

Personally, I find that string formatting and concatenation can betedious and error prone. Also, it makes a big mess of my code, even forsimple queries. In my experience, programming errors are much easier tospot and fix when using query parameters.

One of the main argument given for using query parameters is to preventSQL injection attacks. For example:


string.format("SELECT * FROM t WHERE a = %s", mystring)

Wouldn't it be nice if some malicious person where to substitute thefollowing for 'mystring':


mystring = "'aaa'; DELETE FROM t;"

With query parameters, this kind of attack is easily preventable.

Mike



Tomas Guisasola Gorham wrote:

	Hi Michael
My original library was actually a layer of Lua sitting on top ofLuaSQL. However, I did have to patch LuaSQL to make it support sendingquery parameters separately from the query string.
	But why you need to use query parameters?  Don't you solve that
in Lua with `string.format' or something like that?

	Regards,
		Tomás

References:
- Simple PostgreSQL client library, Michael Broughton
- Re: Simple PostgreSQL client library, Tomas Guisasola Gorham
- Re: Simple PostgreSQL client library, Michael Broughton
- Re: Simple PostgreSQL client library, Tomas Guisasola Gorham

Prev by Date: Re: Simple PostgreSQL client library
Next by Date: NSLINKMODULE_OPTION_PRIVATE a problem? (OS X require of a module multiple times)
Previous by thread: Re: Simple PostgreSQL client library
Next by thread: Re: Simple PostgreSQL client library
Index(es):
- Date
- Thread