From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.devel Subject: Re: [NonGNU ELPA] New package: sqlite3 Date: Fri, 7 Apr 2023 07:53:16 +0300 Message-ID: References: <875ybd7mbh.fsf@bernoul.li> <87y1nzb95o.fsf@posteo.net> <87y1nq5pkz.fsf@posteo.net> <87ttye5mcw.fsf@posteo.net> <87mt46nj00.fsf@posteo.net> <87y1npbz07.fsf@logand.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27363"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.2.9+54 (af2080d) (2022-11-21) Cc: Philip Kaludercic , Lynn Winebarger , Jonas Bernoulli , emacs-devel@gnu.org To: Tomas Hlavaty Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri Apr 07 06:58:41 2023 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pkeBN-0006vu-9z for ged-emacs-devel@m.gmane-mx.org; Fri, 07 Apr 2023 06:58:41 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pkeAZ-0003Lu-4z; Fri, 07 Apr 2023 00:57:52 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pkeAV-0003Lf-9q for emacs-devel@gnu.org; Fri, 07 Apr 2023 00:57:47 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pkeAS-00022u-7K for emacs-devel@gnu.org; Fri, 07 Apr 2023 00:57:46 -0400 Original-Received: from localhost ([::ffff:102.85.248.95]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000087CA9.00000000642FA2AA.000036A2; Thu, 06 Apr 2023 21:57:13 -0700 Mail-Followup-To: Tomas Hlavaty , Philip Kaludercic , Lynn Winebarger , Jonas Bernoulli , emacs-devel@gnu.org Content-Disposition: inline In-Reply-To: <87y1npbz07.fsf@logand.com> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:305152 Archived-At: * Tomas Hlavaty [2023-03-22 00:03]: > The idea is that one should not concatenate strings by hand but one > should write the query as sexp (likely build that cons tree using quote > or backquote). That cons tree should then be converted to string by a > lisp function. Only after that should the string be passed to sqlite. > > sexp (cons tree) -> string -> sqlite I have got 2027 SELECT statements, 463 INSERT statements, and 81 UPDATE statements in Emacs Lisp, mostly for PostgreSQL, little less for SQLite3. There are many string concatenations, and I never had a visual problem with it. Maybe it depends on various styles of programming. Example: -------- (defun rcd-db-words-list-translations (&optional id) "List translations of the table `words'" (interactive) (when-tabulated-id "words" (let ((sql (format "SELECT translations_id, languages_name, words_value, translations_translation FROM translations, languages, words WHERE words_id = translations_words AND languages_id = translations_languages AND translations_words = %s" id))) (rcd-db-sql-report "Translations" sql [("ID" 4 t) ("Language" 30 t) ("Words" 30 t) ("Translations" 30 t)] "translations" nil 'rcd-db-words-list-translations)))) In the above case there is main function `rcd-db-sql-report' which only accepts SQL. I spare writing code by using single function to handle reports. If I would make that function accept "carefully" the parameters, that would mean that for every of thousands of SELECT statements I would need to make little different function, and would waste terribly my time. I do not find writing SQL queries as s-exp practically useful, as that causes programmer NOT to have the SQL statement at hand to verify or debug the SQL query. In that case I would need to wait for program to construct SQL, to show me somewhere, that I can try it out. Otherwise, I use SQL first, then enter it in the Emacs Lisp. Isn't that more practical to try SQL first until satisifed and then use it? Back to above function, the macro `when-tabulated-id "words"' passes the ID only as number. It is checking if user is in the table "words" and then ID can be taken only from tabulated list ID, and due to program style in general, there is no other ID but number ID. Nothing can happen. Of course, user could modify the buffer of Emacs and "inject" the dangerous ID there, and thus dangerous SQL possibly. While one can say those are Emacs weaknesses, for me those are features. That user is able to modify everything within Emacs, including the code, this fact alone cannot make SQL queries "safer" by using exlusively s-exp for SQL. Then I can also modify that SQL and inject anyway dangerous SQL, analogous typographic and computer errors can take place with s-exp or without. IMHO, examples discussed are way too hypothetical without single real world problem reported so far. The difference is that with SQL as strings, one can see the SQL practically, and construct it and place in Emacs Lisp freely, without double work to re-structure it into s-exp. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/