Why are String Formatted Queries Considered So Magical?
Carl Banks
pavlovevidence at gmail.com
Sun Jun 27 18:07:28 EDT 2010
On Jun 24, 6:02 pm, Roy Smith <r... at panix.com> wrote:
> In article <i00t2k$l0... at lust.ihug.co.nz>,
> Lawrence D'Oliveiro <l... at geek-central.gen.new_zealand> wrote:
>
> > I construct ad-hoc queries all the time. It really isn’t that hard to do
> > safely. All you have to do is read the documentation
>
> I get worried when people talk about how easy it is to do something
> safely. Let me suggest a couple of things you might not have considered:
>
> 1) Somebody is running your application (or the database server) with
> the locale set to something unexpected. This might change how numbers,
> dates, currency, etc, get formatted, which could change the meaning of
> your constructed SQL statement.
>
> 2) Somebody runs your application with a different PYTHONPATH, which
> causes a different (i.e. malicious) urllib module to get loaded, which
> makes urllib.quote() do something you didn't expect.
Seriously, almost every other kind of library uses a binary API. What
makes databases so special that they need a string-command based API?
How about this instead (where this a direct binary interface to the
library):
results = rdb_query(table = model,
columns = [model.name, model.number])
results = rdb_inner_join(tables = [records,tags],
joins = [(records.id,tags.record_id)]),
columns = [record.name, tag.name])
Well, we know the real reason is that C, Java, and friends lack
expressiveness and so constructing a binary query is an ASCII
nightmare. Still, it hasn't stopped binary APIs in other kinds of
libraries.
Carl Banks
More information about the Python-list
mailing list