The rationale is that the low-level database interface accepts parameters directly instead of

inserting them inside the query manually (like HoleyMonoid would do). Postgresql-simple

also does parameter substitution on haskell side. This is not safe and may cause to

http://en.wikipedia.org/wiki/SQL_injection because of not properly done backquoting. Low-level

database interface knows better how to work with parameters, so the driver must pass them to it instead

of parameters substitution.

hdbi-postgresql just replace "?" to "$1" sequence properly parsing and ignoring question marks inside the doublequoted identifiers, quoted literals and even dollar quoted literals 4.1.2.2. Dollar-Quoted String Constants

2013/7/31 Tom Ellis <tom-lists-haskell-cafe-2013@jaguarpaw.co.uk>

On Wed, Jul 31, 2013 at 09:45:50AM +0600, Alexey Uimanov wrote:
> Hello, haskellers. This is the first release of HDBI (Haskell Database
> Independent interface).

Hi, thanks for this Alexey. It's great that there is continued development
of this really important infrustructure for Haskell.

I have a question about variable interpolation, that is, using "?" parameter
placeholders in the query strings, as documented here:

http://hackage.haskell.org/packages/archive/hdbi/1.0.0/doc/html/Database-HDBI.html

I know postgresql-simple does this, and presumably database access libraries
in other languages do this too.

What is the rationale for this when in Haskell we have safer methods of
interpolation at our disposal (for example HoleyMonoid)? Is it simply a
matter of using the most familiar interface, or is there a deeper reason
this is necessary?

Thanks,

Tom

_______________________________________________
Haskell-Cafe mailing list
Haskell-Cafe@haskell.org
http://www.haskell.org/mailman/listinfo/haskell-cafe