On Thursday, 18 January 2024 at 23:05:03 UTC, Alexandru Ermicioi wrote:
> On Thursday, 18 January 2024 at 20:30:43 UTC, cc wrote:
> If your programmer is using string interpolation for sensitive sql queries, you fire the programmer.
You will, but first, you'd get your company software breached, so perhaps it is best to not allow such things in first place (language).
Then it might be best not to allow any such practice of injecting dynamic string data into a constructed string command that will be fed into an interpreter that doesn't discriminate between querying and manipulating data in the first place. To echo another poster, that's SQL's problem.😉
Nothing wrong with saying "let's make this system a little better", but how far is a language really obligated to go to protect users from doing the same terrible thing they do in every other language with a database interface known to have some of the widest attack surfaces in history? Not a rhetorical question: I can see some advantage to D being able to say "hey look, our string interpolation is THIS good, you can do this with it and not get screwed!", but I can also see it going too far and creating a wasteland of "can't have nice things" because someone somewhere will carry on the same old bad practices of shooting themselves in both feet with it.
Just my irrelevant 2 cents, anyway. That ship has sailed, but worth remembering for the next one to come into port, IMO.