[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Simple PostgreSQL client library
- From: Michael Broughton <mbobowik@...>
- Date: Mon, 02 Apr 2007 11:54:15 -0600
Good question.
Personally, I find that string formatting and concatenation can be
tedious and error prone. Also, it makes a big mess of my code, even for
simple queries. In my experience, programming errors are much easier to
spot and fix when using query parameters.
One of the main argument given for using query parameters is to prevent
SQL injection attacks. For example:
string.format("SELECT * FROM t WHERE a = %s", mystring)
Wouldn't it be nice if some malicious person where to substitute the
following for 'mystring':
mystring = "'aaa'; DELETE FROM t;"
With query parameters, this kind of attack is easily preventable.
Mike
Tomas Guisasola Gorham wrote:
Hi Michael
My original library was actually a layer of Lua sitting on top of
LuaSQL. However, I did have to patch LuaSQL to make it support sending
query parameters separately from the query string.
But why you need to use query parameters? Don't you solve that
in Lua with `string.format' or something like that?
Regards,
Tomás