Hacker News new | past | comments | ask | show | jobs | submit login

Easy. Don’t write queries in a language (SQL) which interpolates content without escaping it for the enclosing structure.

Go one level up.

For example statements that are prepared should not allow strings in the SQL, but rather variables, and then bind them to values like PDO does




It would be a bit annoying to have to prepare outside and pass in every SQL literal you need to use in your query.

I'd rather have SQL API taking not strings but a special type that string can't be directly converted into without escaping (by default).

In C++ tagged literals could be used to create this special type easily. Similar constructs exist in some other languages


Literally a library can generate SQL statements and compile them

JS and PHP has tagged literals

But they have to be “escaped” properly before being interpolated!


That's the whole point of having a separate type for queries. Whenever you try to glue a string to a query the string gets escaped.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: