• monkyyy (12/12) Jan 14 `i"$foo $bar"` makes a string literal at the call site, no one
• Alexandru Ermicioi (2/14) Jan 14 what about security issues such as sql injection?
• monkyyy (7/25) Jan 14 sounds like an awful lot of sql's problem, and what do you want
• tony (6/7) Jan 14 On Monday, 15 January 2024 at 00:11:13 UTC, Alexandru Ermicioi
• cc (4/22) Jan 18 If your programmer is using string interpolation for sensitive
• Alexandru Ermicioi (4/6) Jan 18 You will, but first, you'd get your company software breached, so
• cc (20/27) Jan 19 Then it might be best not to allow any such practice of injecting
• Alexandru Ermicioi (9/27) Jan 19 That is actually a problem for html templates as well, and any
• Kagamin (7/10) Jan 24 You mean the current way
• novice2 (18/18) Jan 25 I dont understand, why string interpolation related to sql
• Alexandru Ermicioi (9/10) Jan 25 Version proposed here indeed should not be used. Dip 1036e, as
• Alexandru Ermicioi (4/14) Jan 25 Perhaps someone will, which is sad. Still, not an argument to
• monkyyy (11/15) Jan 25 "yes a sharp hammer is the wrong tool to tighten a screw, so

monkyyy <crazymonkyyy gmail.com> writes:

`i"$foo $bar"` makes a string literal at the call site, no one 
gets to format anything, make templates, or anything else; no 
change to templates syntax for to match some strange usecase that 
no one remembers anymore.

`i"$$"=='$'` double $ is the excape, so theres only one control 
char that changes

`float f=1.337; assert(i"$f"=="1.34");` floats are round two 
digits, always

`Vector2 v; assert(i"$v"==v.toString);` structs reuse the 
toString norms

`int array=[1,2,3]; assert(mixin(i"$array")==array);` base types 
and combinations of base types, create sane mixins

Alexandru Ermicioi <alexandru.ermicioi gmail.com> writes:

On Sunday, 14 January 2024 at 23:20:36 UTC, monkyyy wrote:
 `i"$foo $bar"` makes a string literal at the call site, no one 
 gets to format anything, make templates, or anything else; no 
 change to templates syntax for to match some strange usecase 
 that no one remembers anymore.

 `i"$$"=='$'` double $ is the excape, so theres only one control 
 char that changes

 `float f=1.337; assert(i"$f"=="1.34");` floats are round two 
 digits, always

 `Vector2 v; assert(i"$v"==v.toString);` structs reuse the 
 toString norms

 `int array=[1,2,3]; assert(mixin(i"$array")==array);` base 
 types and combinations of base types, create sane mixins

what about security issues such as sql injection?

monkyyy <crazymonkyyy gmail.com> writes:

On Monday, 15 January 2024 at 00:11:13 UTC, Alexandru Ermicioi 
wrote:
 On Sunday, 14 January 2024 at 23:20:36 UTC, monkyyy wrote:
 `i"$foo $bar"` makes a string literal at the call site, no one 
 gets to format anything, make templates, or anything else; no 
 change to templates syntax for to match some strange usecase 
 that no one remembers anymore.

 `i"$$"=='$'` double $ is the excape, so theres only one 
 control char that changes

 `float f=1.337; assert(i"$f"=="1.34");` floats are round two 
 digits, always

 `Vector2 v; assert(i"$v"==v.toString);` structs reuse the 
 toString norms

 `int array=[1,2,3]; assert(mixin(i"$array")==array);` base 
 types and combinations of base types, create sane mixins

 what about security issues such as sql injection?

sounds like an awful lot of sql's problem, and what do you want 
the compiler to throw an exception?

what if someone else wants a string that doesn't throw an 
exception based on some software that they may not even be aware 
of?

tony <tonytdominguez aol.com> writes:

On Monday, 15 January 2024 at 00:11:13 UTC, Alexandru Ermicioi 
wrote:
and combinations of base types, create sane mixins
 what about security issues such as sql injection?

Have the other languages solved security issues in their string 
interpolation?

https://www.geeksforgeeks.org/python-string-interpolation/

cc <cc nevernet.com> writes:

On Monday, 15 January 2024 at 00:11:13 UTC, Alexandru Ermicioi 
wrote:
 On Sunday, 14 January 2024 at 23:20:36 UTC, monkyyy wrote:
 `i"$foo $bar"` makes a string literal at the call site, no one 
 gets to format anything, make templates, or anything else; no 
 change to templates syntax for to match some strange usecase 
 that no one remembers anymore.

 `i"$$"=='$'` double $ is the excape, so theres only one 
 control char that changes

 `float f=1.337; assert(i"$f"=="1.34");` floats are round two 
 digits, always

 `Vector2 v; assert(i"$v"==v.toString);` structs reuse the 
 toString norms

 `int array=[1,2,3]; assert(mixin(i"$array")==array);` base 
 types and combinations of base types, create sane mixins

 what about security issues such as sql injection?

If your programmer is using string interpolation for sensitive 
sql queries, you fire the programmer.

Alexandru Ermicioi <alexandru.ermicioi gmail.com> writes:

On Thursday, 18 January 2024 at 20:30:43 UTC, cc wrote:
 If your programmer is using string interpolation for sensitive 
 sql queries, you fire the programmer.

You will, but first, you'd get your company software breached, so 
perhaps it is best to not allow such things in first place 
(language).

cc <cc nevernet.com> writes:

On Thursday, 18 January 2024 at 23:05:03 UTC, Alexandru Ermicioi 
wrote:
 On Thursday, 18 January 2024 at 20:30:43 UTC, cc wrote:
 If your programmer is using string interpolation for sensitive 
 sql queries, you fire the programmer.

 You will, but first, you'd get your company software breached, 
 so perhaps it is best to not allow such things in first place 
 (language).

Then it might be best not to allow any such practice of injecting 
dynamic string data into a constructed string command that will 
be fed into an interpreter that doesn't discriminate between 
querying and manipulating data in the first place.  To echo 
another poster, *that's SQL's problem*.😉

Nothing wrong with saying "let's make this system a little 
better", but how far is a language *really* obligated to go to 
protect users from doing the same terrible thing they do in every 
other language with a database interface known to have some of 
the widest attack surfaces in history?  Not a rhetorical 
question: I can see some advantage to D being able to say "hey 
look, our string interpolation is THIS good, you can do this with 
it and not get screwed!", but I can also see it going too far and 
creating a wasteland of "can't have nice things" because someone 
somewhere will carry on the same old bad practices of shooting 
themselves in both feet with it.

Just my irrelevant 2 cents, anyway.  That ship has sailed, but 
worth remembering for the next one to come into port, IMO.

Alexandru Ermicioi <alexandru.ermicioi gmail.com> writes:

On Friday, 19 January 2024 at 10:07:38 UTC, cc wrote:
 Then it might be best not to allow any such practice of 
 injecting dynamic string data into a constructed string command 
 that will be fed into an interpreter that doesn't discriminate 
 between querying and manipulating data in the first place.  To 
 echo another poster, *that's SQL's problem*.😉

That is actually a problem for html templates as well, and any 
use case where a string template is desired to be used.

 Nothing wrong with saying "let's make this system a little 
 better", but how far is a language *really* obligated to go to 
 protect users from doing the same terrible thing they do in 
 every other language with a database interface known to have 
 some of the widest attack surfaces in history?  Not a 
 rhetorical question: I can see some advantage to D being able 
 to say "hey look, our string interpolation is THIS good, you 
 can do this with it and not get screwed!", but I can also see 
 it going too far and creating a wasteland of "can't have nice 
 things" because someone somewhere will carry on the same old 
 bad practices of shooting themselves in both feet with it.

Sloppy job is also a problem, and that is not related much to 
experience.

 Just my irrelevant 2 cents, anyway.  That ship has sailed, but 
 worth remembering for the next one to come into port, IMO.

Can't wait to try out dip1036e in reference compiler :). I guess 
we can stop this thread at this point of time.

Regards,
Alexandru.

Kagamin <spam here.lot> writes:

On Thursday, 18 January 2024 at 23:05:03 UTC, Alexandru Ermicioi 
wrote:
 You will, but first, you'd get your company software breached, 
 so perhaps it is best to not allow such things in first place 
 (language).

You mean the current way
```
query("select * from student where name='"~bobby~"'");
```
is ugly enough that nobody will use it accidentally?

novice2 <sorry no.ema.ail> writes:

I dont understand, why string interpolation related to sql 
injection at D forums.
IMHO, this is parallel things.
SQL injection problem should be (IMHO) solved by using "prepare 
statement" phase.
Programmer call sql.prepare().
DB driver make one call to DB server to send query with 
placeholders.
DB server prepare query to execute.

Then programmer call sql.bind_parameters() or 
sql.execute_with_parameters().
DB driver make another, separated call to DB server with 
parameters values and its types.

If parameter contains injection - it will not works.
Server not concatenate parameter with query.
Prepares query on DB server can be as parsed AST tree, not query 
string.

IMHO, string interpolation should no be used for DB code.

Alexandru Ermicioi <alexandru.ermicioi gmail.com> writes:

On Thursday, 25 January 2024 at 16:37:07 UTC, novice2 wrote:
 IMHO, string interpolation should no be used for DB code.

Version proposed here indeed should not be used. Dip 1036e, as 
far as I understood, can be used and does provide some security 
benefits against sql injection, given sql library in question 
uses interpolated strings. I think we should stop discussing this 
proposal, since dip1036 is already accepted.

If you're curious how interpolated strings might help with sql 
injection check recent debates about interpolated strings, there 
are plenty of examples.

Alexandru Ermicioi <alexandru.ermicioi gmail.com> writes:

On Thursday, 25 January 2024 at 07:47:53 UTC, Kagamin wrote:
 On Thursday, 18 January 2024 at 23:05:03 UTC, Alexandru 
 Ermicioi wrote:
 You will, but first, you'd get your company software breached, 
 so perhaps it is best to not allow such things in first place 
 (language).

 You mean the current way
 ```
 query("select * from student where name='"~bobby~"'");
 ```
 is ugly enough that nobody will use it accidentally?

Perhaps someone will, which is sad. Still, not an argument to 
introduce yet another way at concatenating strings (suggested 
here), which imho is even easier than your example to use.

monkyyy <crazymonkyyy gmail.com> writes:

On Thursday, 25 January 2024 at 17:27:51 UTC, Alexandru Ermicioi 
wrote:
 
 Perhaps someone will, which is sad. Still, not an argument to 
 introduce yet another way at concatenating strings (suggested 
 here), which imho is even easier than your example to use.

"yes a sharp hammer is the wrong tool to tighten a screw, so 
hammers shouldnt exist"

I just want a dumb thing that makes string concat shorter and 
nicer to write, *for when you write string concat*, there was 
these highly technical debate about purely theatrical use that 
lasted for 6 years and was a straw that broke the camels back for 
a community split.

Yes my suggestion provides nothing for sql, *that was the point* 
I wasnt pretending it did.