From: arne@vajhoej.dk   
      
   On 7/7/2025 8:26 PM, Lawrence D'Oliveiro wrote:   
   > On Mon, 7 Jul 2025 19:28:37 -0400, Arne Vajhøj wrote:   
   >> ... dynamic string manipulation is rarely used for database access. It   
   >> is a code smell.   
   >   
   > I posted examples some years ago in this group about how useful they are.   
   > Want to revisit those?   
      
   You were also told how it should have been done in Python and   
   how it would be done in Cobol.   
      
   Cobol support dynamic strings fine. But it is not a good   
   choice for SQL.   
      
   For security reasons (and possible for performance reasons).   
      
   $ type sql.py   
   v1 = 123   
   v2 = "ABC'); DROP TABLE importantdata; --"   
   sql = f"INSERT INTO data VALUES({v1},'{v2}')"   
   print(sql)   
   $ python sql.py   
   INSERT INTO data VALUES(123,'ABC'); DROP TABLE importantdata; --')   
   $ type sql.cob   
   identification division.   
   program-id.sqlprg.   
   *   
   data division.   
   working-storage section.   
   01 v1 pic 9(9) value 123.   
   01 v2 pic x(80) value "ABC'); DROP TABLE importantdata; --".   
   01 sql pic x(80).   
   *   
   procedure division.   
   main-paragraph.   
        string "INSERT INTO data VALUES(" v1 ",'" v2 "')" delimited by size   
   into sql   
        display sql   
        stop run.   
   $ cob sql   
   $ lin sql   
   $ r sql   
   INSERT INTO data VALUES(000000123,'ABC'); DROP TABLE importantdata; --   
      
   Of course the Python code is still a lot shorter than the   
   Cobol code, but that is generally the case.   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)