[Gllug] Introductions to Databases
Richard Jones
rich at annexia.org
Sun Jul 19 10:33:47 UTC 2009
On Sun, Jul 19, 2009 at 11:18:28AM +0100, James Laver wrote:
> The fault here isn't PHP (which I am no friend of, I assure you), the
> fault is idiot users.
Yes, in this case it's a library thing rather than a language thing,
and in PHP/Perl one should use 'prepare' ...
[..]
> mysqli_prepare("SELECT * FROM table WHERE col=?");
But in fact good languages can help here. In OCaml, which has
features way beyond what you find in the usual Perl/Python/Ruby
scripting languages, you can write SQL statements correctly _and_
briefly:
PGSQL(dbh) "insert into employees (name, salary, email)
values ($name, $salary, $?email)"
This is a macro[*] which turns automatically into a prepared statement
with placeholders applied in the correct places. SQL injection is
_not_ possible with the above code.
http://merjis.com/developers/pgocaml
http://www.dse.nl/~dario/projects/pgoctut/
More amazing OCaml macros:
http://pa-do.forge.ocamlcore.org/
http://martin.jambon.free.fr/micmatch.html
http://code.google.com/p/bitstring/
Rich.
[*] LISP-like macro, not stupid C macro.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list