Hacker News new | ask | show | jobs
by ezfe 1330 days ago
no, the backend has no reason to see `foo%20bar` - you escape when you're combining that string with other strings (ie into HTML, into a SQL query, etc.)
1 comments
evilDagmar 1330 days ago
There's just a whole library of CVEs for people who attempt to escape things being sent to SQL. Use parameterized queries already.
link
8n4vidtmkvmk 1329 days ago
every one says "just use parameterized queries" but they don't handle arrays which makes the idea rather useless.
link
jiggawatts 1329 days ago
Many database engines can handle arrays, or table-valued variables which are basically the same thing. Most ORMs will also abstract away arrays for you, so you as the developer never need to deal with escaping of data in arrays.
link
8n4vidtmkvmk 1327 days ago
Which relational DB supports this natively?

ORMs don't count. They're just editing the SQL.

link
orf 1329 days ago
Use one that does? Or build it yourself?

    ARRAY[?, ?, ?, ?]
link
8n4vidtmkvmk 1327 days ago
I do, but I feel like it defeats the purpose. In order to insert those ?s you have to parse the query, which is exactly what we're trying to avoid.
link
orf 1327 days ago
Sorry, I’m not clear on why you need to parse the query? Imagine you want to INSERT (int, array[], int) into a table.

Why can’t you just generate the following SQL?

  INSERT INTO foo VALUES (?, ARRAY[?,?,?], ?)
Where param 1-3 are indexes 0-2 in the array?

This is basically what everything else does when handing arrays, or other composite types like coordinates.

If the language or libraries are not suitable for doing this then the language or libraries are the problem, not the approach.

link
8n4vidtmkvmk 1324 days ago
If you're using an ORM/SQL builder, sure. If you prefer writing raw SQL because ORMs are often quite limiting, then you have to write something like `INSERT INTO foo VALUES ?` and then you pass it `[1, [2,3,4], 5]` as params, which is mostly fine but you still have to parse out that "?" from the query. Why parse? Because what if you wrote 'VALUES "?"' now it's a string and shouldn't be replaced. It would be much nicer if you could just send the query to the SQL server and figure out what to do with the params.
link