Re: Protection from SQL injection

On Sun, 27 Apr 2008 12:38:48 +0200
Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> wrote:

> Once you've developers that are so patient to write stuff like:
>
> "select a.id, b.name from a join b on b.id=a.id where
> a.status='pending' and b.id>7 and b.status='logged'"
>
> into
>
> "select a.id, b.name from a join b on b.id=a.id where
> a.status=? and b.id>? and b.status=?", 'pending', 7, 'logged'
>
> there are high chances they will prefer to spend some of their time
> actually thinking about what they are writing.

[snipped here and there]

> Prepared statements force you to match input with position and it is
> definitively error prone.

It'd be nice to have a wrapper that let you write prepared statements
this way:

"select a.id, b.name from a join b on a.id=b.id where
a.status=$variable1 and b.id>$variable2 etc... but that's a pretty
good change to any language parser.

Maybe it could be obtained by use of macro...
That will turn
new_query("select a.id, b.name from a join b on a.id=b.id where
a.status=$variable1 and b.id>$variable2");
into
pg_prepare('anonymous', 'select a.id, b.name from a join b on
a.id=b.id where a.status=$1 and b.id>$2');
pg_execute('anonymous',array($variable1,$variable2));

but aren't macro evil

Still it would be handy.

--
Ivan Sergio Borgonovo
http://www.webthatworks.it