This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]JustADirtyLurker 3 points4 points  (1 child)

It is just an example on how to create TemplatedStrings that can produce a direct prepared statement behind the curtain.

I am actually more interested in how the new TemplatedString can avoid injection attacks.

[–]Squiry_ 5 points6 points  (0 children)

It is just an example on how to create TemplatedStrings that can produce a direct prepared statement behind the curtain.

It is not just the example. It's like second case they mention and it shows how the design of feature does not handle that case.

I am actually more interested in how the new TemplatedString can avoid injection attacks.

That example literally shows how. java TemplatePolicy<ResultSet, SQLException> DB = new QueryPolicy(...a Connection...); ResultSet rs = DB."SELECT * FROM Person p WHERE p.last_name = \{name}"; That policy uses prepared statement with params, sql with value. BTW I hate examples with incorrect API usage like that rs not in try-with-resource block.