Hacker News new | ask | show | jobs
by EGreg 633 days ago
Easy. Don’t write queries in a language (SQL) which interpolates content without escaping it for the enclosing structure.

Go one level up.

For example statements that are prepared should not allow strings in the SQL, but rather variables, and then bind them to values like PDO does
1 comments
scotty79 633 days ago
It would be a bit annoying to have to prepare outside and pass in every SQL literal you need to use in your query.

I'd rather have SQL API taking not strings but a special type that string can't be directly converted into without escaping (by default).

In C++ tagged literals could be used to create this special type easily. Similar constructs exist in some other languages

link
EGreg 633 days ago
Literally a library can generate SQL statements and compile them

JS and PHP has tagged literals

But they have to be “escaped” properly before being interpolated!

link
scotty79 633 days ago
That's the whole point of having a separate type for queries. Whenever you try to glue a string to a query the string gets escaped.
link