Thu Jul 5 12:38:43 CEST 2012
talking about. It's typical for SQL packages even in dynamic
What I have in mind is that the query (with placeholders for the
values) would have to be a string constant (provided by the
programmer) or flagged as "checked and not tainted" by the programmer,
otherwise trying to run the query would fail to type check.
If you have a system where you want to let the user select the column
names in the query, then SQL placeholders/sanitation may not work -
you need to build the query string "by hand". Being able to use the
type checking system to insure that no string gets used that hasn't
been sanitized would be nice.
More information about the Beginners