[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for databa
Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for database with operator % style
Tue, 24 Jan 2006 22:43:45 +0100
Mail/News 1.5 (X11/20060119)
Glen Ditchfield wrote:
> On Tuesday 24 January 2006 02:13, Nathaniel Smith wrote:
>> The new API is like:
>> execute(query("DELETE FROM my_table WHERE attr = ?") % blob(foo));
> Is there some code somewhere that escapes single-quotes? I've seen too many
> bugs in other systems where the code sets up a query like
> "SELECT stuff FROM my_table WHERE surname = '?' ")
> and then some other code substitutes in "O'Toole" instead of "O''Toole".
This is not an issue here since query and parameter are passed seperated
to the database. (And the parameter is not parsed).
Description: OpenPGP digital signature