Hacker News new | ask | show | jobs
by paulddraper 999 days ago
*large

*small
1 comments
bcrosby95 999 days ago
You can create json and sql string template processors that suffer from no injection problems. I'd call that a large improvement over, for example, Javascript. But I'm not familiar enough with the string template feature in the other languages to comment on their relative security.
link
paulddraper 999 days ago
> You can create json and sql string template processors that suffer from no injection problems. I'd call that a large improvement over, for example, Javascript.

Bad example. JavaScript literally has that (ever since ES6). [1]

  function sql(strings, ...args) {
    // ...
  }

  sql`SELECT * FROM user WHERE email = $1`
[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...
link
5e92cb50239222b 999 days ago
This is a solved problem in .NET, and C# only has one kind of string templating:

  FormattableString foo = $"select * from {table} where {column} = 42";
https://learn.microsoft.com/en-us/ef/core/querying/sql-queri...
link
kaba0 999 days ago
Not sure if C# can do that, but java’s implementation can return an arbitrary object based on the templates/parameters.
link