suzanne.soy/racket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

db: added note on sql injection, moved param paras to stmt section

Browse Source
This commit is contained in:
Ryan Culpepper 2011-08-29 00:26:06 -06:00
parent 1c6817426e
commit b3e55dc078
1 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
collects/db/scribblings/query.scrbl
View File

@ -68,8 +68,7 @@ way to make kill-safe connections.
All query functions require both a connection and a All query functions require both a connection and a
@deftech{statement}, which is one of the following: @deftech{statement}, which is one of the following:
@itemlist[ @itemlist[
@item{a string containing a single SQL statement, possibly with @item{a string containing a single SQL statement}
parameters}
@item{a @tech{prepared statement} produced by @racket[prepare]} @item{a @tech{prepared statement} produced by @racket[prepare]}
@item{a @tech{virtual statement} produced by @item{a @tech{virtual statement} produced by
@racket[virtual-statement]} @racket[virtual-statement]}
@ -78,6 +77,29 @@ All query functions require both a connection and a
@item{an instance of a struct type that implements @racket[prop:statement]} @item{an instance of a struct type that implements @racket[prop:statement]}
] ]
A SQL statement may contain parameter placeholders that stand for SQL
scalar values. The parameter values must be supplied when the
statement is executed; the parameterized statement and parameter
values are sent to the database back end, which combines them
correctly and safely.
Use parameters instead of Racket string interpolation (eg,
@racket[format] or @racket[string-append]) to avoid
@hyperlink["http://xkcd.com/327/"]{SQL injection}, where a string
intended to represent a SQL scalar value is interpreted as---possibly
malicious---SQL code instead.
The syntax of placeholders varies depending on the database
system. For example:
@centered{
@tabbing{
PostgreSQL: @& @tt{select * from the_numbers where n > $1;} @//
MySQL, ODBC: @& @tt{select * from the_numbers where n > ?;} @//
SQLite: @& supports both syntaxes (plus others)
}
}
@defproc[(statement? [x any/c]) boolean?]{ @defproc[(statement? [x any/c]) boolean?]{
Returns @racket[#t] if @racket[x] is a @tech{statement}, @racket[#f] Returns @racket[#t] if @racket[x] is a @tech{statement}, @racket[#f]
@ -345,17 +367,6 @@ grouping fields. The grouping fields must be distinct.
A @deftech{prepared statement} is the result of a call to A @deftech{prepared statement} is the result of a call to
@racket[prepare]. @racket[prepare].
The syntax of parameterized queries varies depending on the database
system. For example:
@centered{
@tabbing{
PostgreSQL: @& @tt{select * from the_numbers where n > $1;} @//
MySQL, ODBC: @& @tt{select * from the_numbers where n > ?;} @//
SQLite: @& supports both syntaxes (plus others)
}
}
Any server-side or native-library resources associated with a prepared Any server-side or native-library resources associated with a prepared
statement are released when the prepared statement is statement are released when the prepared statement is
garbage-collected or when the connection that owns it is closed; garbage-collected or when the connection that owns it is closed;