From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: Emacs Modular Configuration: the preferable way. Date: Tue, 22 Jun 2021 00:07:13 +0300 Message-ID: References: <87pmwgdiyj.fsf@zoho.eu> <83y2b3tq07.fsf@gnu.org> <871r8vcrnm.fsf@posteo.net> <20210621141148.GA29347@tuxteam.de> <87zgvjcgh6.fsf@zoho.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="32636"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.0.7+183 (3d24855) (2021-05-28) To: help-gnu-emacs@gnu.org Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Mon Jun 21 23:12:12 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lvRDI-0008Lp-Jf for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 21 Jun 2021 23:12:12 +0200 Original-Received: from localhost ([::1]:41028 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lvRDH-0007CV-Gk for geh-help-gnu-emacs@m.gmane-mx.org; Mon, 21 Jun 2021 17:12:11 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:52984) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lvRCe-0007C6-1S for help-gnu-emacs@gnu.org; Mon, 21 Jun 2021 17:11:32 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:53819) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lvRCc-0000Gf-9v for help-gnu-emacs@gnu.org; Mon, 21 Jun 2021 17:11:31 -0400 Original-Received: from localhost ([::ffff:197.157.0.61]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000076020.0000000060D1007F.00000DF4; Mon, 21 Jun 2021 14:11:25 -0700 Mail-Followup-To: help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <87zgvjcgh6.fsf@zoho.eu> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:131160 Archived-At: * Emanuel Berg via Users list for the GNU Emacs text editor [2021-06-21 20:07]: > > The language itself has evolved a lot since its beginnings > > (to the better, IMO). But you still see extremely bad habits > > "out there" which wouldn't be necessary these days -- > > because, well, they are "out there" (for example: assebling > > SQL queries with sprintf [1]). They take a life of their own > > :-) > > If it is string to begin with and the end result is a string > one should be able to use string functions to "assemble" it. I am thinking how can I make it safer for SQL queries. It seem not an easy task. Major updating function is using this: (let* ((table "new") (column "new_name") (new-value "'Joe'") (id 1) (sql (format "UPDATE %s SET %s = %s WHERE %s_id = %s RETURNING %s_id" table column new-value table id table))) (message sql) (rcd-sql-first sql db)) ⇒ 1 Then I have to convert it to following by its meaning: (let* ((table "new") (column "new_name") (new-value "'Joe'") (id 1) (parameters (list table column new-value id)) (sql "UPDATE $1 SET $2 = $3 WHERE $1_id = $4 RETURNING $1_id")) (message sql) (rcd-sql-first sql db parameters)) But no, that does not work: if: Wrong type argument: stringp, ("ERROR: syntax error at or near \"$1\" LINE 1: UPDATE $1 SET $2 = $3 WHERE $1_id = $4 RETURNING $1_id ^ " "42601") As those paramters are probably converted to strings. Thus I cannot avoid using the function `format' just everywhere, but I can minimize it wherever there is possible danger for SQL injection (though this below is not working): (let* ((table "new") (column "new_name") (new-value "'Joe'") (id 1) (parameters (list new-value id)) (sql (format "UPDATE %s SET %s = $1 WHERE %s_id = $2 RETURNING %s_id" table column table table))) (message sql) (rcd-sql-first sql db parameters)) Maybe solution would be to use `format' in steps, so that final step can accept users' input. Issue is not solved. First I have to contact developers of `emacs-libpq' package to see if this is error, as it returns string by supplying integer parameter: This is not expected: (pq:query db "SELECT $1" 100) ⇒ ("100") While this is expected: (pq:query db "SELECT $1" "100") ⇒ ("100") So the issue is pending on Github: https://github.com/anse1/emacs-libpq/issues/19 -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/