I don't think guile-dbi does this safety check. You are welcome to add it.
Since gna.org is dead, I moved everything over to https://github.com/opencog/guile-dbi --linas On Mon, Mar 27, 2017 at 1:24 PM, Christopher Allan Webber < [email protected]> wrote: > Jakub Jankiewicz writes: > > > Hi all, > > > > I want to use guile-dbi with unsafe user input. I have code like this: > > > > (dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '" > > username > > "'")) > > > > How can I escape username given from user to prevent sql injection? > > > > I could validate username to only contain letters using [a-zA-Z] regex > but > > what about other languages that have non Latin letters and names like > O'Conor? > > This will also don't work for password that may have special characters. > > guile-squee is pretty immature but I do think it does this one bit > correctly... parameters to the procedure shouldn't be substituted in the > string, they should be provided as additional arguments, like > > (exec-query db-obj "SELECT * FROM users WHERE username=$1" > '("alice")) > > I seem to remember trying to find out if this was possible to do in > dbi-query, and not succeeding at finding such a route? (guile-dbi, > unlike guile-squee, has some maturity though...) > >
