> On Mar 18, 2024, at 9:38 AM, Brian Goetz <[email protected]> wrote: > . . . > A few people have implied that only the tainted parts of an ST (the embedded > expressions) need special processing, but I'll point out that the untainted > parts may often require domain-specific validation. For example, a ST > representing a SQL query wants balanced quotes, and might want to require > quotes around embedded expressions.
Thank you for mentioning this, especially in connection with SQL, which has bene much on my mind this last week. Yes, for complete safety, an SQL processor really ought to do a proper parse of the entire SQL statement represented by the fragments and verify that the “holes” filled by the expressions make sense. In elaborate cases, it may be necessary to figure out what kind of thing is represented by the hole (value, name, data type) before it can properly validate and escape the associated expression. —Guy
