[bcrosby95]

You can create json and sql string template processors that suffer from no injection problems. I'd call that a large improvement over, for example, Javascript. But I'm not familiar enough with the string template feature in the other languages to comment on their relative security.

[paulddraper]

> You can create json and sql string template processors that suffer from no injection problems. I'd call that a large improvement over, for example, Javascript.

Bad example. JavaScript literally has that (ever since ES6). [1]

  function sql(strings, ...args) {
    // ...
  }

  sql`SELECT * FROM user WHERE email = $1`

[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Refe...

[5e92cb50239222b]

This is a solved problem in .NET, and C# only has one kind of string templating:

  FormattableString foo = $"select * from {table} where {column} = 42";

https://learn.microsoft.com/en-us/ef/core/querying/sql-queri...

[kaba0]

Not sure if C# can do that, but java’s implementation can return an arbitrary object based on the templates/parameters.