|
Boost Users : |
From: Paul Davis (pjdavis_at_[hidden])
Date: 2006-09-12 11:34:04
On 9/12/06, loufoque <mathias.gaunard_at_[hidden]> wrote:
>
> Scott Meyers wrote :
>
> > > An example:
> > > System.Data.SqlClient.SqlParameter is a class that describes a bound
> > parameter used in a database statement. Bound parameters are essential
> > to prevent SQL injection attacks. They should be exceedingly easy to use
> > since the "competition" (string concatenation of parameters into the SQL
> > statement) is easy, well understood, and dangerous.
>
> You can construct safe SQL queries with streams or printf-like syntax
> easily
id = "2 ; delete from persons ;"
sql << "select first_name, last_name, date_of_birth "
> "from persons where id = " << id
Someone just deleted your persons table. Oops.
No need to put objects everywhere that complexify everything.
_______________________________________________
> Boost-users mailing list
> Boost-users_at_[hidden]
> http://lists.boost.org/mailman/listinfo.cgi/boost-users
>
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net