On Fri, Dec 11, 2009 at 4:07 PM, Paul Bohme <kepler-proj...@bohme.org> wrote: > As I see it, the thing is nearly perfect for my uses except for embedding > untrusted data in code.. Tweak that little bit of missing code and it's > perfect.
prepared statements and parameter bindings is the sane and safe way to do it. but _ONLY_ if you use the real deal, as provided by the RDBMS, not if you mangle the sql string, trying to do some string quoting-escaping, etc. i don't use PostgreSQL regularly, so i don't know if it supports named parameters. if not, then bad luck. the client code is no place to add that. > Now, if you're talking about a separate much larger project, I'd be more > inclined to agree.. ;-) well, the first two parts (driver and LuaSQL) are already in place. the only missing thing is parameters support, which should be provided by the driver (some already do) and supported by the agnostic layer (missing). the big trouble is that in the name of API unification, most projects suggest things like that: add named parameters when it's missing, and numbered when the converse; or trying to replace parameter syntaxes... it's all wrong. the agnostic layer MUST respect the RDBMS dialect of SQL, not try to make it 'nicer', or 'more like the others' -- Javier _______________________________________________ Kepler-Project mailing list Kepler-Project@lists.luaforge.net http://lists.luaforge.net/cgi-bin/mailman/listinfo/kepler-project http://www.keplerproject.org/
