[Haskell-cafe] ANNOUNCE: hdbi-1.0.0 and hdbi-postgresql-1.0.0
s9gf4ult at gmail.com
Wed Jul 31 13:28:02 CEST 2013
The rationale is that the low-level database interface accepts parameters
directly instead of
inserting them inside the query manually (like HoleyMonoid would do).
also does parameter substitution on haskell side. This is not safe and may
http://en.wikipedia.org/wiki/SQL_injection because of not properly done
database interface knows better how to work with parameters, so the driver
must pass them to it instead
of parameters substitution.
hdbi-postgresql just replace "?" to "$1" sequence properly parsing and
ignoring question marks inside the doublequoted identifiers, quoted
literals and even dollar quoted literals 220.127.116.11. Dollar-Quoted String
2013/7/31 Tom Ellis <tom-lists-haskell-cafe-2013 at jaguarpaw.co.uk>
> On Wed, Jul 31, 2013 at 09:45:50AM +0600, Alexey Uimanov wrote:
> > Hello, haskellers. This is the first release of HDBI (Haskell Database
> > Independent interface).
> Hi, thanks for this Alexey. It's great that there is continued development
> of this really important infrustructure for Haskell.
> I have a question about variable interpolation, that is, using "?"
> placeholders in the query strings, as documented here:
> I know postgresql-simple does this, and presumably database access
> in other languages do this too.
> What is the rationale for this when in Haskell we have safer methods of
> interpolation at our disposal (for example HoleyMonoid)? Is it simply a
> matter of using the most familiar interface, or is there a deeper reason
> this is necessary?
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Haskell-Cafe