The rationale is that the low-level database interface accepts parameters
directly instead of
inserting them inside the query manually (like HoleyMonoid would do).
Postgresql-simple
also does parameter substitution on haskell side. This is not safe and may
cause to
http://en.wikipedia.org/wiki/SQL_injection because of not properly done
backquoting. Low-level
database interface knows better how to work with parameters, so the driver
must pass them to it instead
of parameters substitution.
hdbi-postgresql just replace "?" to "$1" sequence properly parsing and
ignoring question marks inside the doublequoted identifiers, quoted
literals and even dollar quoted literals 4.1.2.2. Dollar-Quoted String
Constantshttp://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html
2013/7/31 Tom Ellis
On Wed, Jul 31, 2013 at 09:45:50AM +0600, Alexey Uimanov wrote:
Hello, haskellers. This is the first release of HDBI (Haskell Database Independent interface).
Hi, thanks for this Alexey. It's great that there is continued development of this really important infrustructure for Haskell.
I have a question about variable interpolation, that is, using "?" parameter placeholders in the query strings, as documented here:
http://hackage.haskell.org/packages/archive/hdbi/1.0.0/doc/html/Database-HDB...
I know postgresql-simple does this, and presumably database access libraries in other languages do this too.
What is the rationale for this when in Haskell we have safer methods of interpolation at our disposal (for example HoleyMonoid)? Is it simply a matter of using the most familiar interface, or is there a deeper reason this is necessary?
Thanks,
Tom
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe