[plt-scheme] Using prepared statements

From: Danny Yoo (dyoo at cs.wpi.edu)
Date: Thu May 31 19:45:03 EDT 2007

>>  Are there static type systems that can protect against, e.g., SQL
>>  injection?
> I have always wondered why people aren't using Prepare more. Is it too 
> expensive? Or is the reason perhaps that people are using languages 
> without closures?

I think it's ignorance.

When I was doing Python programming, I saw newcomers work with the Python 
DBI and almost always not use prepared statements but rather string 
concatenate.  That's what their teacher told them to do.  And even people 
who should know better can propagate this problem.  Here's one example:


I saw the same thing with many Java programmers: I rarely saw use of 
prepareStatement(), and even when I saw people using it, the code would 
completely miss the point of prepareStatement(); I'd see code like:

     stmt = conn.prepareStatement("insert into article (title) values ('" +
                                  title + "')");

which made me laugh and cry at the same time.

I'm very glad that Hans's SQLID interface includes support for prepared 
statements.  I would like to see it highlighted more vividly in the 
documentation.  As it is, it's just a quick mention in:


as a set of optional arguments passed to the "query" method.

Posted on the users mailing list.