[plt-scheme] Using prepared statements

From: Danny Yoo (dyoo at cs.wpi.edu)
Date: Thu May 31 19:45:03 EDT 2007

Previous message: [plt-scheme] Why do folks implement statically typed languages?
Next message: [plt-scheme] Using prepared statements
Messages sorted by: [date] [thread] [subject] [author]

>>  Are there static type systems that can protect against, e.g., SQL
>>  injection?
>
> I have always wondered why people aren't using Prepare more. Is it too 
> expensive? Or is the reason perhaps that people are using languages 
> without closures?


I think it's ignorance.

When I was doing Python programming, I saw newcomers work with the Python 
DBI and almost always not use prepared statements but rather string 
concatenate.  That's what their teacher told them to do.  And even people 
who should know better can propagate this problem.  Here's one example:

     http://mail.python.org/pipermail/tutor/2003-April/022010.html

I saw the same thing with many Java programmers: I rarely saw use of 
prepareStatement(), and even when I saw people using it, the code would 
completely miss the point of prepareStatement(); I'd see code like:

     stmt = conn.prepareStatement("insert into article (title) values ('" +
                                  title + "')");
     stmt.executeQuery();

which made me laugh and cry at the same time.



I'm very glad that Hans's SQLID interface includes support for prepared 
statements.  I would like to see it highlighted more vividly in the 
documentation.  As it is, it's just a quick mention in:

http://www.elemental-programming.org/sqli.html#_code__sqli_query_sqli_handle_query___args____boolean__code_

as a set of optional arguments passed to the "query" method.

Posted on the users mailing list.

Previous message: [plt-scheme] Why do folks implement statically typed languages?
Next message: [plt-scheme] Using prepared statements
Messages sorted by: [date] [thread] [subject] [author]