Hacker News new | ask | show | jobs
by amelius 3311 days ago
I don't see the problem if userId is guaranteed to be just an id.

This can be done, for example, by testing it before the SQL call. In that case, it's safer than most pointer-dereferences done in C++.
1 comments
regularfry 3311 days ago
That's one hell of an `if` you've got there.
link
Sorreah 3310 days ago
Not that big of an if. The id was most likely pulled out of the database itself in cases like:

>friends: dbQuery("select * from firends where user_id = "+userId).data

link
Klathmon 3310 days ago
or it was pulled from a GET parameter.

The point is that regardless of where it came from parameterized queries are a staple of programming now, and having an example without it would be like having an example of a login system be

    if (username in db && password in db) { login() }
link
Sorreah 3310 days ago
I'd much rather read a straightforward example like that in an intro, then reading the complicated prepared statement when going through what's essentially pseudocode.

There are valid cases where you're sure that the thing you're looking at is a valid id (ie. you already pulled it out of the database or by generating it yourself), not every program is a webapp that's handling user input, and examples like this aren't meant to teach you best security practices.

And yes the login system example would be acceptable if you're discussing something entirely unrelated to actually implementing one.

link
Klathmon 3310 days ago
I think the disconnect here is that a prepared statement isn't really more complicated. As pseudocode it's more like

    dbquery('select * from friends where user_id = $1', userId)
A few extra characters is all it takes.

And the benefits of prepared or parameterized statements don't end at security, they can often have performance benefits as well.

And as for the login pseudocode, if it doesn't have anything to do with the example, hide the implementation:

    if (userIsAuthenticated === true) { login() }
link
josephg 3310 days ago
I've been enjoying sql-template-strings lately, which build on ES6 tagged template literals so you get the best of both worlds:

    dbquery(sql`select * from friends where user_id = ${userId}`)
https://www.npmjs.com/package/sql-template-strings
link