PROPOSAL: Templated Construction Expressions (i.e., Expressions Embedded in Strings) (original) (raw)
John Rose John.Rose at Sun.COM
Tue Mar 31 16:58:19 PDT 2009
- Previous message: PROPOSAL: Templated Construction Expressions (i.e., Expressions Embedded in Strings)
- Next message: PROPOSAL: Templated Construction Expressions (i.e., Expressions Embedded in Strings)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mar 30, 2009, at 10:37 PM, rssh at gradsoft.com.ua wrote:
On Mar 20, 2009, at 1:50 PM, John Rose wrote:
I wrote up something more specific, for the sake of this go-around. It is generic and pluggable enough to provide some help with XML templating, and SQL construction. 1. Whith SQL constructions exists a problem: existence of such template string parameters provoke programmers to use it instead host variables in queries, which cause performance problems and SQL injection problems.
Because this is a general template mechanism, and not merely a
string constructor, it is not vulnerable to SQL injection. The
string segments and interpolations are processed by different factory
methods (appendText vs. append), so an SQL query factory is free to
restrict and check the interpolated arguments.
See the XML example in the proposal; it shows how a two-phase factory
API can first compile and check a template, and then apply it.
So, for example, in many PHP guidelines exists rule do not use "- strings for SQL.
2. Also, I can't understand, how this construction will be useful without multiline strings.
You are right; thanks. There is a need at least for C's "foo\n\bar"
or "foo\n" "bar".
If triple-quote (or some equivalent) happens, it would have to be
applied to templated constructors as well as literals, giving the
equivalent of here-files.
3. COMPABILITY - this breaks all code with use $ in string literals. (Or I read something incorrectly ?) So better prefix such string with something. (may be yet one '$' or '@' ?)
You read incorrectly. Template constructor expressions are distinct
from string literals. They are prefixed with the token "new".
4. Why just not call this parser from some method ? I. e. what arguments for including string templates in language itself, instead library call ?
The usual: Sugar like that can help API designers build APIs whose
code is more maintainable: Less noisy. Template-based systems are
popular for a reason.
-- John
- Previous message: PROPOSAL: Templated Construction Expressions (i.e., Expressions Embedded in Strings)
- Next message: PROPOSAL: Templated Construction Expressions (i.e., Expressions Embedded in Strings)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]