Hacker News new | ask | show | jobs
by Klathmon 3310 days ago
or it was pulled from a GET parameter.

The point is that regardless of where it came from parameterized queries are a staple of programming now, and having an example without it would be like having an example of a login system be

    if (username in db && password in db) { login() }
1 comments
Sorreah 3310 days ago
I'd much rather read a straightforward example like that in an intro, then reading the complicated prepared statement when going through what's essentially pseudocode.

There are valid cases where you're sure that the thing you're looking at is a valid id (ie. you already pulled it out of the database or by generating it yourself), not every program is a webapp that's handling user input, and examples like this aren't meant to teach you best security practices.

And yes the login system example would be acceptable if you're discussing something entirely unrelated to actually implementing one.

link
Klathmon 3310 days ago
I think the disconnect here is that a prepared statement isn't really more complicated. As pseudocode it's more like

    dbquery('select * from friends where user_id = $1', userId)
A few extra characters is all it takes.

And the benefits of prepared or parameterized statements don't end at security, they can often have performance benefits as well.

And as for the login pseudocode, if it doesn't have anything to do with the example, hide the implementation:

    if (userIsAuthenticated === true) { login() }
link
josephg 3310 days ago
I've been enjoying sql-template-strings lately, which build on ES6 tagged template literals so you get the best of both worlds:

    dbquery(sql`select * from friends where user_id = ${userId}`)
https://www.npmjs.com/package/sql-template-strings
link
Klathmon 3310 days ago
(not sure why you are getting downvoted, but...)

Template strings are the one ES2015 feature I still really haven't used much. And this almost seems like a textbook use case for them! I'll need to give this a shot in a toy project and see if I can't get my own version hacked together for support with my favorite database interface library in node (pg-promise)

link