Petite Abeille wrote:
On Dec 11, 2009, at 6:42 PM, Paul Bohme wrote:
This at least makes LuaSQL useful in environments (like the one I find myself
in) where code that uses string concatenation for queries is strictly forbidden
as a matter of policy.
Hmmm... this border on the ridiculous, no? :)
Not really. It's a simple fact that escaping user data into a SQL
string is using user input as executable. Can't do that in environments
that I work in. If it were that easy, we wouldn't still be playing an
eternal game of whack-a-mole with SQL injection attacks everywhere.
Being able to bind values to a query keeps data as data, and denies it
any even conceptual chance to become code. Thus, in environments that
are sensitive to security, simple escaping is insufficient.
As far as bind variables go, perhaps LuaDBI would be more to your liking:
"LuaDBI is a database interface library for Lua. It is designed to provide a RDBMS
agnostic API for handling database operations. LuaDBI also provides support for prepared
statement handles, placeholders and bind parameters for all database operations."
http://code.google.com/p/luadbi/
Saw that earlier in my reading of the list archives, and it's far too
young at this point. I pulled the sources and it's a long way from what
I'd consider prime time (more than I'm ready to invest in..)
-P
_______________________________________________
Kepler-Project mailing list
Kepler-Project@lists.luaforge.net
http://lists.luaforge.net/cgi-bin/mailman/listinfo/kepler-project
http://www.keplerproject.org/
