I thought I had finally devised a good method to dynamically construct SQL queries in #Perl, but it turns out I can make a horrible mess of everything.

@ayo I have a theory that the only that can appear in a client application is "call proc_name (arguments);", if the server is properly configured to accept only these, SQL injection is no longer an issue.

@amiloradovsky SQL injection isn't the problem, though - the code in the screenshot is safe from that. The problem is overly dynamic queries with filters and sorting depending on user input. And this is actually a simple example...

@ayo Oh, I wasn't criticizing the code in the screenshot per se. But sure the more complex the composed query is, the harder it is to ensure it's safety.

@amiloradovsky That is certainly true. Integrating SQL into the host language type system (if it has a static one, i.e. not Perl) really helps with that, but tends to heavily complicate and limit the flexibility of queries.


@ayo But all the flexibility should only be used on the server anyway.

Sign in to participate in the conversation
Functional Café

functional.cafe is an instance for people interested in functional programming and languages.