[Haskell-beginners] database error simply by using a sting in a variable

Ian Denhardt ian at zenhack.net
Wed Dec 5 18:19:26 UTC 2018

It sounds from the later posts like you've made some progress. I just
want to call out one thing:

Quoting Damien Mattei (2018-12-05 11:02:48)
> let name = "'A    20'"
>     let qry = "select `N° BD` from Coordonnées where Nom = " ++ name

I'll hazard a guess that you're using the sqlite-simple library. From
their documentation on the Query type:

> This type is intended to make it difficult to construct a SQL query by
> concatenating string fragments, as that is an extremely common way to
> accidentally introduce SQL injection vulnerabilities into an
> application.

From later messages it looks like you worked out the OverloadedStrings
thing and ended up (correctly) moving to some code that uses the ?
interpolation syntax: ".... where Nom = ?". I just wanted to stress that
this is the right way to do things, and the distinction is important.
This is a general thing when working with SQL: don't construct queries
by gluing strings together; it's a great way to have vulnerabilities in
your app.

Happy Hacking,


More information about the Beginners mailing list