Boost logo

Boost :

From: Ruben Perez (rubenperez038_at_[hidden])
Date: 2022-05-12 10:57:56


On Thu, 12 May 2022 at 07:59, Rainer Deyke via Boost
<boost_at_[hidden]> wrote:
>
> Two possible workarounds:
> - Allow conn.query("COMMIT") but disallow conn.query("SELECT * FROM
> employee WHERE company_id = 'HGS'"), somehow.
> - Provide conn.commit() which calls conn.unsafe_query("COMMIT").
> I'm not really too fond of either of them.

I can see the second one. It's actually done this way in the Python
DB2 API. Raised https://github.com/anarthal/mysql/issues/68
to track it.

>
> >> - Syntax sugar for a one-off parametrized query wouldn't hurt either.
> >
> > This requires a decent amount of work, as it requires implementing
> > SQL sanitizing client-side. I'm not very keen on it, as it's very possible
> > to get it wrong and end up introducing a vulnerability that wouldn't have
> > existed with prepared statements. I can have a look at how complex would
> > this be if the community thinks it really adds a lot of value.
>
> What if this worked by creating a prepared statement behind the scenes?
> The idea of a one-off query is that it is only used once per program
> invocation, so the performance cost of constructing a prepared statement
> should be negligible.

I like the idea. Raised https://github.com/anarthal/mysql/issues/69 to track it.

>
>
> --
> Rainer Deyke (rainerd_at_[hidden])
>
>
> _______________________________________________
> Unsubscribe & other changes: http://lists.boost.org/mailman/listinfo.cgi/boost


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk