[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] sql.egg: incompatible change

From: Graham Fawcett
Subject: Re: [Chicken-users] sql.egg: incompatible change
Date: Sun, 19 Aug 2007 19:17:02 -0400

On 8/19/07, Matthew Welland <address@hidden> wrote:
> By the by I suspect that option 2. doesn't protect against SQL injection
> threats to the same degree that option 1. does. Also, I believe that there
> are optimizations that can be done with postional arguments for when a
> query is called multiple times with different arguments. Can the sql egg
> approach ever take advantage of those type of optimizations?

You're thinking of "prepared statements". Pass a query with positional
arguments in it to your database engine; it parses and prepares an
execution plan, returning a statement "handle". You can then reuse the
prepared statement any number of times, without the parsing/planning
overhead. It's effective protection against SQL injection, for the
same reasons.

That being said, it is outside the scope of the sql egg. A common DBI
would be an appropriate place for a prepared-statement interface, but
the actual preparation is done by the RDBMS.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]