On Thursday, 4 January 2024 at 18:03:56 UTC, Leonardo wrote:
On Saturday, 30 December 2023 at 22:11:55 UTC, Steven
Schveighoffer wrote:
auto andrei = db.fetchOne(select(ads).where(ads.firstname,
" = 'Andrei'"));
How SQL injection are avoided here?
SQL injection is avoided by passing parameter data. You use the
`param` wrapper.
So if you had unqualified user input, it would be:
```d
string personname = getFromUser();
auto author = db.fetchOne(select(ads).where(ads.firstname, " = ",
personname.param);
```
For everything except strings, it is a static error to pass them
in without the `.param` wrapper. For strings, I can't help it,
there is no mechanism to find out whether you are writing SQL or
giving me a parameter.
This should be fixable if interpolation ever happens (and I can
get rid of the requirement for `.param`).
-Steve
