[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Emacs Modular Configuration: the preferable way.
From: |
Jean Louis |
Subject: |
Re: Emacs Modular Configuration: the preferable way. |
Date: |
Tue, 22 Jun 2021 00:07:13 +0300 |
User-agent: |
Mutt/2.0.7+183 (3d24855) (2021-05-28) |
* Emanuel Berg via Users list for the GNU Emacs text editor
<help-gnu-emacs@gnu.org> [2021-06-21 20:07]:
> > The language itself has evolved a lot since its beginnings
> > (to the better, IMO). But you still see extremely bad habits
> > "out there" which wouldn't be necessary these days --
> > because, well, they are "out there" (for example: assebling
> > SQL queries with sprintf [1]). They take a life of their own
> > :-)
>
> If it is string to begin with and the end result is a string
> one should be able to use string functions to "assemble" it.
I am thinking how can I make it safer for SQL queries. It seem
not an easy task. Major updating function is using this:
(let* ((table "new")
(column "new_name")
(new-value "'Joe'")
(id 1)
(sql (format "UPDATE %s SET %s = %s WHERE %s_id = %s RETURNING %s_id"
table column new-value table id table)))
(message sql)
(rcd-sql-first sql db)) ⇒ 1
Then I have to convert it to following by its meaning:
(let* ((table "new")
(column "new_name")
(new-value "'Joe'")
(id 1)
(parameters (list table column new-value id))
(sql "UPDATE $1 SET $2 = $3 WHERE $1_id = $4 RETURNING $1_id"))
(message sql)
(rcd-sql-first sql db parameters))
But no, that does not work:
if: Wrong type argument: stringp, ("ERROR: syntax error at or near \"$1\"
LINE 1: UPDATE $1 SET $2 = $3 WHERE $1_id = $4 RETURNING $1_id
^
" "42601")
As those paramters are probably converted to strings. Thus I
cannot avoid using the function `format' just everywhere, but I
can minimize it wherever there is possible danger for SQL
injection (though this below is not working):
(let* ((table "new")
(column "new_name")
(new-value "'Joe'")
(id 1)
(parameters (list new-value id))
(sql (format "UPDATE %s SET %s = $1 WHERE %s_id = $2 RETURNING %s_id"
table column table table)))
(message sql)
(rcd-sql-first sql db parameters))
Maybe solution would be to use `format' in steps, so that final
step can accept users' input.
Issue is not solved. First I have to contact developers of
`emacs-libpq' package to see if this is error, as it returns
string by supplying integer parameter:
This is not expected:
(pq:query db "SELECT $1" 100) ⇒ ("100")
While this is expected:
(pq:query db "SELECT $1" "100") ⇒ ("100")
So the issue is pending on Github:
https://github.com/anse1/emacs-libpq/issues/19
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
- Re: FW: [External] : Re: Emacs Modular Configuration: the preferable way., (continued)
- Re: FW: [External] : Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/25
- Re: Emacs Modular Configuration: the preferable way., tomas, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Eli Zaretskii, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Eli Zaretskii, 2021/06/22
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/22
- Re: Emacs Modular Configuration: the preferable way., Eli Zaretskii, 2021/06/22
- Re: Emacs Modular Configuration: the preferable way., Stefan Monnier, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way.,
Jean Louis <=
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Yuri Khan, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, tomas, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/28
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], tomas, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21