Boost logo

Boost :

From: Matias Capeletto (matias.capeletto_at_[hidden])
Date: 2006-04-29 17:07:45


On 4/29/06, Stephen Dolan <stedolan2_at_[hidden]> wrote:
> Not a full review, just a comment:
>
> The proposed property tree library uses a small internal language which is
> passed to the various functions, for instance:
>
> file = ptree.get<std::string>("config.filename");
>
> Personally, I don't think its a good idea to define new syntaxes and pass
> them around as strings. It would be a bit more effort to implement, but I
> think (something like) the following would be preferable:
>
> file = ptree.get<std::string>["config"]["filename"]
>
> I'm thinking largely of the dangers of passing a user-supplied string as
> part of the path, as in get<std::string>("config."+prop_name); since this
> can lead to insecurities as the query language gets more powerful. (e.g. sql
> injection in php and other languages, people exploiting perl scripts by
> passing carefully crafted strings which work their way into an eval, etc).
> Also, there is an additional runtime overhead in parsing the string, which
> can be avoided by doing it at compile-time using C++'s native syntax.

If you are interested in variants of this aproach please search the
list (path concept, operator/, operator[], will lead you to the
posts). We have had quite active discussion in this topic. Many
proposals from many people were develop and throw to the list. Marcin
have said that he will indeed change the interface (i think in a way
were the actual sintaxis is seamisly supportted). Now is up to him, to
choose and merge the ideas in a coherent framework.
Regards,
Matias Capeletto

PD: I don't know if i can, but i rise both hands to vote yes to ptree.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk