Fwd: [Haskell-beginners] Database simple-mysql

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [Haskell-beginners] Database simple-mysql

Damien Mattei



-------- Message transféré --------
Sujet : [Haskell-beginners] Database simple-mysql
Date : Wed, 5 Dec 2018 11:29:30 +0100
De : Damien Mattei <[hidden email]>
Répondre à : The Haskell-Beginners Mailing List - Discussion of
primarily beginner-level topics related to Haskell <[hidden email]>
Pour : [hidden email]

why does this works:
 let name = "'A    20'"

 bd_rows <- query_ conn "select `N° BD` from sidonie.Coordonnées where
Nom = 'A    20'"

    putStrLn $ show bd_rows
    putStrLn $ show name

i got:

[Only {fromOnly = "-04.3982"}]
"'A    20'"
-04.3982


but not with this:

 bd_rows <- query conn "select `N° BD` from sidonie.Coordonnées where
Nom = ?" (Only (name::String))

i got an empty result:

[]
...

???
--
[hidden email], [hidden email], UNS / OCA / CNRS
_______________________________________________
Beginners mailing list
[hidden email]
http://mail.haskell.org/cgi-bin/mailman/listinfo/beginners


_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [Haskell-beginners] Database simple-mysql

Viktor Dukhovni
> why does this works:
> let name = "'A    20'"
>
> bd_rows <- query_ conn "select `N° BD` from sidonie.Coordonnées where
> Nom = 'A    20'"

The "Nom" equality constraint was the String:

  <A><SPACE><SPACE><SPACE><SPACE><2><0>

> but not with this:
>
> bd_rows <- query conn "select `N° BD` from sidonie.Coordonnées where
> Nom = ?" (Only (name::String))

No additional quoting is required or appropriate with prepared statements.
The "Nom" constraint in this case was incorrectly:

  <'><A><SPACE><SPACE><SPACE><SPACE><2><0><'>

This is not Haskell-specific.  The fact that prepared statement parameters
don't use or require quoting is an important safety feature (no SQL-injection
with prepared statements).  Every language that offers SQL bindings with
prepared statement support behaves this way.

--
        Viktor.

_______________________________________________
Haskell-Cafe mailing list
To (un)subscribe, modify options or view archives go to:
http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
Only members subscribed via the mailman list are allowed to post.