[Haskell-cafe] ANNOUNCE: hdbi-1.0.0 and hdbi-postgresql-1.0.0

Alexey Uimanov s9gf4ult at gmail.com
Wed Jul 31 13:28:02 CEST 2013 

The rationale is that the low-level database interface accepts parameters
directly instead of
inserting them inside the query manually (like HoleyMonoid would do).
Postgresql-simple
also does parameter substitution on haskell side. This is not safe and may
cause to
http://en.wikipedia.org/wiki/SQL_injection because of not properly done
backquoting. Low-level
database interface knows better how to work with parameters, so the driver
must pass them to it instead
of parameters substitution.

hdbi-postgresql just replace "?" to "$1" sequence properly parsing and
ignoring question marks inside the doublequoted identifiers, quoted
literals and even dollar quoted literals  4.1.2.2. Dollar-Quoted String
Constants<http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html>


2013/7/31 Tom Ellis <tom-lists-haskell-cafe-2013 at jaguarpaw.co.uk>

> On Wed, Jul 31, 2013 at 09:45:50AM +0600, Alexey Uimanov wrote:
> > Hello, haskellers. This is the first release of HDBI (Haskell Database
> > Independent interface).
>
> Hi, thanks for this Alexey.  It's great that there is continued development
> of this really important infrustructure for Haskell.
>
> I have a question about variable interpolation, that is, using "?"
> parameter
> placeholders in the query strings, as documented here:
>
>
> http://hackage.haskell.org/packages/archive/hdbi/1.0.0/doc/html/Database-HDBI.html
>
> I know postgresql-simple does this, and presumably database access
> libraries
> in other languages do this too.
>
> What is the rationale for this when in Haskell we have safer methods of
> interpolation at our disposal (for example HoleyMonoid)?  Is it simply a
> matter of using the most familiar interface, or is there a deeper reason
> this is necessary?
>
> Thanks,
>
> Tom
>
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130731/e55960cd/attachment.htm>

More information about the Haskell-Cafe mailing list