From: Jean Louis <bugs@gnu.support>
To: Tomas Hlavaty <tom@logand.com>
Cc: Philip Kaludercic <philipk@posteo.net>,
Lynn Winebarger <owinebar@gmail.com>,
Jonas Bernoulli <jonas@bernoul.li>,
emacs-devel@gnu.org
Subject: Re: [NonGNU ELPA] New package: sqlite3
Date: Fri, 7 Apr 2023 07:53:16 +0300 [thread overview]
Message-ID: <ZC+hvPjRK++pQvqq@protected.localdomain> (raw)
In-Reply-To: <87y1npbz07.fsf@logand.com>
* Tomas Hlavaty <tom@logand.com> [2023-03-22 00:03]:
> The idea is that one should not concatenate strings by hand but one
> should write the query as sexp (likely build that cons tree using quote
> or backquote). That cons tree should then be converted to string by a
> lisp function. Only after that should the string be passed to sqlite.
>
> sexp (cons tree) -> string -> sqlite
I have got 2027 SELECT statements, 463 INSERT statements, and 81
UPDATE statements in Emacs Lisp, mostly for PostgreSQL, little less
for SQLite3.
There are many string concatenations, and I never had a visual problem
with it. Maybe it depends on various styles of programming.
Example:
--------
(defun rcd-db-words-list-translations (&optional id)
"List translations of the table `words'"
(interactive)
(when-tabulated-id "words"
(let ((sql (format "SELECT translations_id, languages_name, words_value, translations_translation FROM translations, languages, words WHERE words_id = translations_words AND languages_id = translations_languages AND translations_words = %s" id)))
(rcd-db-sql-report "Translations" sql [("ID" 4 t) ("Language" 30 t) ("Words" 30 t) ("Translations" 30 t)] "translations" nil 'rcd-db-words-list-translations))))
In the above case there is main function `rcd-db-sql-report' which
only accepts SQL. I spare writing code by using single function to
handle reports. If I would make that function accept "carefully" the
parameters, that would mean that for every of thousands of SELECT
statements I would need to make little different function, and would
waste terribly my time.
I do not find writing SQL queries as s-exp practically useful, as that
causes programmer NOT to have the SQL statement at hand to verify or
debug the SQL query. In that case I would need to wait for program to
construct SQL, to show me somewhere, that I can try it out.
Otherwise, I use SQL first, then enter it in the Emacs Lisp. Isn't
that more practical to try SQL first until satisifed and then use it?
Back to above function, the macro `when-tabulated-id "words"' passes
the ID only as number. It is checking if user is in the table "words"
and then ID can be taken only from tabulated list ID, and due to
program style in general, there is no other ID but number ID. Nothing
can happen.
Of course, user could modify the buffer of Emacs and "inject" the
dangerous ID there, and thus dangerous SQL possibly. While one can say
those are Emacs weaknesses, for me those are features. That user is
able to modify everything within Emacs, including the code, this fact
alone cannot make SQL queries "safer" by using exlusively s-exp for
SQL. Then I can also modify that SQL and inject anyway dangerous SQL,
analogous typographic and computer errors can take place with s-exp or
without.
IMHO, examples discussed are way too hypothetical without single
real world problem reported so far.
The difference is that with SQL as strings, one can see the SQL
practically, and construct it and place in Emacs Lisp freely, without
double work to re-structure it into s-exp.
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
next prev parent reply other threads:[~2023-04-07 4:53 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-04 10:17 [NonGNU ELPA] New package: sqlite3 Jonas Bernoulli
2023-03-04 11:39 ` Philip Kaludercic
2023-03-06 18:43 ` Jonas Bernoulli
2023-03-14 16:16 ` Philip Kaludercic
2023-03-14 22:46 ` Jonas Bernoulli
2023-03-15 8:05 ` Philip Kaludercic
2023-03-21 6:51 ` Jean Louis
2023-03-21 10:55 ` Lynn Winebarger
2023-03-21 11:08 ` Philip Kaludercic
2023-03-21 11:56 ` Lynn Winebarger
2023-03-21 12:18 ` Philip Kaludercic
2023-03-21 13:04 ` Lynn Winebarger
2023-03-21 16:53 ` Philip Kaludercic
2023-03-21 21:00 ` Tomas Hlavaty
2023-04-07 4:53 ` Jean Louis [this message]
2023-03-21 23:58 ` Lynn Winebarger
2023-03-22 8:10 ` Philip Kaludercic
2023-03-22 15:05 ` Lynn Winebarger
2023-03-23 0:07 ` Lynn Winebarger
2023-03-21 20:42 ` Tomas Hlavaty
[not found] ` <875yatn70c.fsf@posteo.net>
2023-03-21 22:46 ` Tomas Hlavaty
2023-03-22 8:00 ` Philip Kaludercic
2023-03-21 20:36 ` Tomas Hlavaty
2023-04-07 5:17 ` Jean Louis
2023-03-06 5:08 ` Richard Stallman
2023-03-14 14:36 ` Jonas Bernoulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZC+hvPjRK++pQvqq@protected.localdomain \
--to=bugs@gnu.support \
--cc=emacs-devel@gnu.org \
--cc=jonas@bernoul.li \
--cc=owinebar@gmail.com \
--cc=philipk@posteo.net \
--cc=tom@logand.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).