On Fri, Dec 21, 2012 at 3:15 PM, Erik de Castro Lopo
Mike Meyer wrote:
Is there already a Haskell package that does this? Possibly part of a web framework? I've been using Esqueleto (an SQL EDSL) and it sanitizes/quotes all values while constructing SQL queries.
From that description, this is actually different from what I'm talking about. It's typical for SQL packages even in dynamic languages.
What I have in mind is that the query (with placeholders for the values) would have to be a string constant (provided by the programmer) or flagged as "checked and not tainted" by the programmer, otherwise trying to run the query would fail to type check. If you have a system where you want to let the user select the column names in the query, then SQL placeholders/sanitation may not work - you need to build the query string "by hand". Being able to use the type checking system to insure that no string gets used that hasn't been sanitized would be nice.