[Haskell-cafe] Fwd: [Haskell-beginners] Database simple-mysql
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Dec 5 15:51:53 UTC 2018
> why does this works:
> let name = "'A 20'"
>
> bd_rows <- query_ conn "select `N° BD` from sidonie.Coordonnées where
> Nom = 'A 20'"
The "Nom" equality constraint was the String:
<A><SPACE><SPACE><SPACE><SPACE><2><0>
> but not with this:
>
> bd_rows <- query conn "select `N° BD` from sidonie.Coordonnées where
> Nom = ?" (Only (name::String))
No additional quoting is required or appropriate with prepared statements.
The "Nom" constraint in this case was incorrectly:
<'><A><SPACE><SPACE><SPACE><SPACE><2><0><'>
This is not Haskell-specific. The fact that prepared statement parameters
don't use or require quoting is an important safety feature (no SQL-injection
with prepared statements). Every language that offers SQL bindings with
prepared statement support behaves this way.
--
Viktor.
More information about the Haskell-Cafe
mailing list