On Fri, Oct 21, 2011 at 10:47 PM, Alan Malloy a...@malloys.org wrote:
Can't repeat this strongly enough. Do not, ever, decide you can escape/
sanitize the strings yourself so you don't need a parameterized query.
Maybe it works, but one of these days you'll slip up and get something
wrong.
Yep. Rpeating you for emphasis, not repeating myself to disagree with
you.
On Oct 22, 12:37 am, Sean Corfield seancorfi...@gmail.com wrote:
On Fri, Oct 21, 2011 at 10:47 PM, Alan Malloy a...@malloys.org wrote:
Can't repeat this strongly enough. Do not, ever, decide you can escape/
sanitize
I agree. Thanks for general guidance on using parameterized queries. I
will switch to use prepared statements instead.
On Oct 22, 3:51 am, Alan Malloy a...@malloys.org wrote:
Yep. Rpeating you for emphasis, not repeating myself to disagree with
you.
On Oct 22, 12:37 am, Sean Corfield
Hi
I wrote the following function to create a SQL IN clause from a list
of values. Essentially the function creates a single string which is a
comma separated quoted list of the values surrounded by parenthesis.
user= (def xs [1 2 3 4 5])
user=(str (' (first xs) (reduce #(str %1 ', ' %2) (rest
user= (str (' (apply str (interpose ', ' [1 2 3 4 5])) '))
('1', '2', '3', '4', '5')
Would be a way to do it. Interpose returns a lazy sequence so you need to apply
str to realize the sequence.
Luc P.
On Fri, 21 Oct 2011 17:54:41 -0700 (PDT)
Shoeb Bhinderwala shoeb.bhinderw...@gmail.com wrote:
Augh don't do this, you are begging for SQL injection attacks. I'll
set one of the elements in your list to:
'); DROP TABLE users; --
On Oct 21, 5:54 pm, Shoeb Bhinderwala shoeb.bhinderw...@gmail.com
wrote:
Hi
I wrote the following function to create a SQL IN clause from a list
of values.
It all depends if you sanitize the arguments yourself before building the SQL
string...
Luc
On Fri, 21 Oct 2011 19:23:22 -0700 (PDT)
Alan Malloy a...@malloys.org wrote:
Augh don't do this, you are begging for SQL injection attacks. I'll
set one of the elements in your list to:
'); DROP
Thanks. It is so much cleaner with interpose.
On Oct 21, 9:24 pm, Luc Prefontaine lprefonta...@softaddicts.ca
wrote:
user= (str (' (apply str (interpose ', ' [1 2 3 4 5])) '))
('1', '2', '3', '4', '5')
Would be a way to do it. Interpose returns a lazy sequence so you need to
apply str to