help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Emacs Modular Configuration: the preferable way.


From: Jean Louis
Subject: Re: Emacs Modular Configuration: the preferable way.
Date: Tue, 22 Jun 2021 00:07:13 +0300
User-agent: Mutt/2.0.7+183 (3d24855) (2021-05-28)

* Emanuel Berg via Users list for the GNU Emacs text editor 
<help-gnu-emacs@gnu.org> [2021-06-21 20:07]:
> > The language itself has evolved a lot since its beginnings
> > (to the better, IMO). But you still see extremely bad habits
> > "out there" which wouldn't be necessary these days --
> > because, well, they are "out there" (for example: assebling
> > SQL queries with sprintf [1]). They take a life of their own
> > :-)
> 
> If it is string to begin with and the end result is a string
> one should be able to use string functions to "assemble" it.

I am thinking how can I make it safer for SQL queries. It seem
not an easy task. Major updating function is using this:

(let* ((table "new")
       (column "new_name")
       (new-value "'Joe'")
       (id 1)
       (sql (format "UPDATE %s SET %s = %s WHERE %s_id = %s RETURNING %s_id" 
table column new-value table id table)))
  (message sql)
  (rcd-sql-first sql db)) ⇒ 1

Then I have to convert it to following by its meaning:

(let* ((table "new")
       (column "new_name")
       (new-value "'Joe'")
       (id 1)
       (parameters (list table column new-value id))
       (sql "UPDATE $1 SET $2 = $3 WHERE $1_id = $4 RETURNING $1_id"))
  (message sql)
  (rcd-sql-first sql db parameters))

But no, that does not work:

if: Wrong type argument: stringp, ("ERROR:  syntax error at or near \"$1\"
LINE 1: UPDATE $1 SET $2 = $3 WHERE $1_id = $4 RETURNING $1_id
               ^
" "42601")

As those paramters are probably converted to strings. Thus I
cannot avoid using the function `format' just everywhere, but I
can minimize it wherever there is possible danger for SQL
injection (though this below is not working):

(let* ((table "new")
       (column "new_name")
       (new-value "'Joe'")
       (id 1)
       (parameters (list new-value id))
       (sql (format "UPDATE %s SET %s = $1 WHERE %s_id = $2 RETURNING %s_id" 
table column table table)))
  (message sql)
  (rcd-sql-first sql db parameters))

Maybe solution would be to use `format' in steps, so that final
step can accept users' input.

Issue is not solved. First I have to contact developers of
`emacs-libpq' package to see if this is error, as it returns
string by supplying integer parameter:

This is not expected:

(pq:query db "SELECT $1" 100) ⇒ ("100")

While this is expected:

(pq:query db "SELECT $1" "100") ⇒ ("100")

So the issue is pending on Github:
https://github.com/anse1/emacs-libpq/issues/19

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]