[plt-scheme] Using prepared statements

From: YC (yinso.chen at gmail.com)
Date: Thu May 31 20:11:17 EDT 2007

One of the ignorances has to do with unfamiliarity with set programming plus
premature optimization.

Many production SQL code I've seen use concatenations to generate dynamic
sql statements for creating different where clauses and return different
columns, which of course leads to SQL injection problems (as well as
difficult to debug SQL query/stored procedures).  Often the developers in
charge (even experienced ones) don't know how to write one single sql
statement to represent the "different" sql statements (even if they know how
to do so they rather use dynamic SQL to write more compact thus "optimized"
statements).  The same developer often is more comfortable write cursors and
loops rather than using selects appropriately.

On 5/31/07, Danny Yoo <dyoo at cs.wpi.edu> wrote:
> I think it's ignorance.
> When I was doing Python programming, I saw newcomers work with the Python
> DBI and almost always not use prepared statements but rather string
> concatenate.  That's what their teacher told them to do.  And even people
> who should know better can propagate this problem.  Here's one example:
>      http://mail.python.org/pipermail/tutor/2003-April/022010.html
> I saw the same thing with many Java programmers: I rarely saw use of
> prepareStatement(), and even when I saw people using it, the code would
> completely miss the point of prepareStatement(); I'd see code like:
>      stmt = conn.prepareStatement("insert into article (title) values ('"
> +
>                                   title + "')");
>      stmt.executeQuery();
> which made me laugh and cry at the same time.
> I'm very glad that Hans's SQLID interface includes support for prepared
> statements.  I would like to see it highlighted more vividly in the
> documentation.  As it is, it's just a quick mention in:
> http://www.elemental-programming.org/sqli.html#_code__sqli_query_sqli_handle_query___args____boolean__code_
> as a set of optional arguments passed to the "query" method.
> _________________________________________________
>   For list-related administrative tasks:
>    http://list.cs.brown.edu/mailman/listinfo/plt-scheme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.racket-lang.org/users/archive/attachments/20070531/39ed5c05/attachment.html>

Posted on the users mailing list.