[Haskell-beginners] database error simply by using a sting in a variable
Ian Denhardt
ian at zenhack.net
Wed Dec 5 18:19:26 UTC 2018
It sounds from the later posts like you've made some progress. I just
want to call out one thing:
Quoting Damien Mattei (2018-12-05 11:02:48)
> let name = "'A 20'"
> let qry = "select `N° BD` from Coordonnées where Nom = " ++ name
I'll hazard a guess that you're using the sqlite-simple library. From
their documentation on the Query type:
> This type is intended to make it difficult to construct a SQL query by
> concatenating string fragments, as that is an extremely common way to
> accidentally introduce SQL injection vulnerabilities into an
> application.
From later messages it looks like you worked out the OverloadedStrings
thing and ended up (correctly) moving to some code that uses the ?
interpolation syntax: ".... where Nom = ?". I just wanted to stress that
this is the right way to do things, and the distinction is important.
This is a general thing when working with SQL: don't construct queries
by gluing strings together; it's a great way to have vulnerabilities in
your app.
Happy Hacking,
-Ian
More information about the Beginners
mailing list