From: arne@vajhoej.dk   
      
   On 7/8/2025 5:57 PM, Lawrence D'Oliveiro wrote:   
   > On Tue, 8 Jul 2025 08:45:13 -0400, Arne Vajhøj wrote:   
   >> On 7/7/2025 8:26 PM, Lawrence D'Oliveiro wrote:   
   >>> On Mon, 7 Jul 2025 19:28:37 -0400, Arne Vajhøj wrote:   
   >>>> ... dynamic string manipulation is rarely used for database access. It   
   >>>> is a code smell.   
   >>>   
   >>> I posted examples some years ago in this group about how useful they   
   >>> are. Want to revisit those?   
   >>   
   >> You were also told how it should have been done in Python and how it   
   >> would be done in Cobol.   
   >   
   > Except the alternative Python versions didn’t actually work.   
      
   It worked. It was tested before posted. Cobol embedded SQL was   
   tested with Rdb and Python was tested with SQLite.   
      
   > I can’t decide whether there is actually widespread fear about the   
   > possibilities of dynamically-generated SQL, or just a lack of imagination.   
      
   Dynamically creating SQL string where the dynamic part is for non-data   
   is rarely needed. The COALESCE trick handle many of the potential cases.   
      
   Dynamically creating SQL string where the dynamic part is for data   
   is a security disaster waiting to happen (and possible poor   
   performance as well). People may think that their upper layers   
   will filter the data when they write the code, but eventually   
   someone will mess that part up and bang - the database is vulnerable.   
      
   H2 is actually the database that makes it easiest to catch   
   that. Put ;ALLOW_LITERALS=NONE in the connection string   
   and all attempts to use data values directly instead   
   of parameters will fail.   
      
   Arne   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)