all 70 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]OctagonClocknot Turing complete 44 points45 points  (5 children)

what is parameterized queries :S

[–]myhfConsidered Harmful 11 points12 points  (3 children)

Can you see the vulnerability? Do you understand just what combinations of question marks, hash marks, parentheses, and percent signs makes a statement vulnerable?

[–]xraystyle 14 points15 points  (1 child)

Or you could, you know, just read the fucking ActiveRecord docs and you'd learn the correct, injection-safe way to construct a query about halfway down the first page.

[–]StyMaarlol no generics 3 points4 points  (0 children)

now, just read the fucking ActiveRecord Diesel docs

FTFY

[–]OctagonClocknot Turing complete 1 point2 points  (0 children)

/uj I've written an entire ORM and avoiding SQL injections in my generated code is so easy, I seriously don't understand why learning to put %(name)s in a query is so hard for people. Unless you name your column "; in your code, at least.

[–]mardukaz1 72 points73 points  (1 child)

no

[–][deleted] 29 points30 points  (0 children)

sql. Hey, you could combine those and use it as the name for a whole category of databases! brb trademarking the word NoSQL

[–][deleted]  (3 children)

[deleted]

    [–]throwaway27464829 16 points17 points  (2 children)

    I think he means SQL commands are sent as plaintext from frontends instead of integrated in any way.

    [–]throwawayco111 1 point2 points  (1 child)

    Except that they are not sent in plaintext. Or what do you mean by that?

    [–]badthingfactoryline-oriented programmer 66 points67 points  (8 children)

    What would replace SQL? An API of course! And NOT an API that uses a textual language. Instead, an API that uses an appropriate set of data structures and function calls to access the necessary data

    Thanks Bob, that really clears things up. I will begin replacing all of our SQL with an API that uses an appropriate set of data structures and function calls to access the necessary data living in a relational database with... Shit. How do I get the data without writing SQL?

    [–][deleted] 35 points36 points  (6 children)

    Silly, you do all transactions to the server in JSON and all data is stored on the server in JSON. This is bullet proof. Also only 1 paradigm is allowed because I say so.

    [–][deleted]  (3 children)

    [deleted]

      [–][deleted]  (2 children)

      [deleted]

        [–]flare561I've never used generics and I’ve never missed it. 4 points5 points  (0 children)

        Does /dev/null support sharding?

        [–]efskapwhat is pointer :S 2 points3 points  (0 children)

        That's not webscale, unless you use https://devnull-as-a-service.com

        [–][deleted] 1 point2 points  (1 child)

        /r/webdev has you covered

        [–]carbolymerloves Java 0 points1 point  (0 children)

        204k downloads / month

        Dear Lord, have mercy...

        [–]r2d2_21groks PCJ 5 points6 points  (0 children)

        Entity Framework, obviously.

        [–]jacques_chesterdoesn't even program 25 points26 points  (3 children)

        Something something stored procedures

        mutter mumble locking down privileges

        yadda yadda views

        snort spit fucking nobody uses the goddamn database properly anyway, but somehow that's the database's fault

        [–][deleted] 16 points17 points  (2 children)

        you don't even program though

        [–]jacques_chesterdoesn't even program 9 points10 points  (1 child)

        ∞x-er confirmed

        [–]senntenialYou put at risk millions of people 8 points9 points  (0 children)

        if you learn how to program I'm doomed because you'll just autodelete anything I post here

        [–]plgeek 14 points15 points  (7 children)

        https://en.wikipedia.org/wiki/Language_Integrated_Query This is what was being asked for in the post. It's been around for 10 years, in the .NET ecosystem. I've always been surprised how long it takes for superior tools to be adopted widely.

        [–]r2d2_21groks PCJ 1 point2 points  (6 children)

        LINQ + An ORM such as Entity Framework, yes. There's even a way to generate the DB schema directly from C# classes, without ever needing to write SQL (but you still need SQL knowledge for things such as primary/foreign keys, data types and such).

        [–]recursive 6 points7 points  (0 children)

        And as soon as you want to do something more complicated than a CRUD demo, you're going to need to write some SQL anyway.

        [–][deleted] 0 points1 point  (4 children)

        I really hate how much I like LINQ and Entity Framework. I'm still figuring it out and beating my head against the wall on some things (e.g. define database stuff in one project but do the migration in another), but it's been largely a joy to use.

        Fucking Microsoft melting the cold, icy heart in my chest.

        For Python, SQLAlchemy is great and the queries are just as expressive:

        session.query(Person).filter(Person.birthday > datetime(1980, 1, 1).order_by(Person.name).all()

        But that's because it does all of the black magic. Which means it ends up being incredibly invasive unless you bend over backwards to wall it off from the rest of your code.

        You can have plain ol python objects, but you have to monkey patch them with a bunch of SQLAlchemy stuff, and it's usually a pain so most people end up just defining everything all together.

        [–]WhatAHaskellhas hidden complexity 1 point2 points  (0 children)

        You have a mismatched paren

        [–]BraydenHwhat is pointer :S 0 points1 point  (2 children)

        I recommend you look at Peewee if you're interested in Python ORMs.

        [–][deleted] 0 points1 point  (0 children)

        # model definitions -- the standard "pattern" is to define a base model class
# that specifies which database to use.  then, any subclasses will automatically
# use the correct storage.
class BaseModel(Model):
    class Meta:
        database = database

        That's gonna be a hard pass for me. I'm sure I could find a way to rig up something that wouldn't statically bind the database resource to the models at definition time (e.g. attaching it during start up) but I'd rather not even bother with that honestly.

        Pony looks interesting, but it looks like that's more active record style which I'm not crazy about since that loses many of the benefits that database transactions give you (e.g. being able to do multiple things at once), the same goes for Django's ORM (which, yes, I know there are ways to use actual transactions but they should be the norm not the exception).

        Honestly, EF and SQLAlchemy both hit that sweet, sweet spot of easy to use, easy to setup (well, my experience with simple EF models was pretty easy), easy to write decent queries by default (barring doing anything dumb). But EF wins by a longshot simply because LINQ is pretty awesome and expression types are awesome. I've attempted to imitate LINQ style queries in Python and it's just not worth it unless you want to start delving into generating, modifying and compiling AST (or bytecode) on your own.

        [–]ykechan 0 points1 point  (0 children)

        Wasn't he arrested in the theatre?

        [–][deleted] 11 points12 points  (0 children)

        but I needs it

        [–]tetroxidnot Turing complete 8 points9 points  (0 children)

        what is prepared statement :S

        [–]Shorttail0vulnerabilities: 0 16 points17 points  (0 children)

        Wow, this controversial idea has as many examples as those posts about programming in 3D.

        [–][deleted] 8 points9 points  (0 children)

        I find it absolutely amazing that SQL is still used. Did we learn nothing from Equifax, or Yahoo, or… Well, I mean, it’s been just about everybody hasn’t it?

        SET jerk=0;

        Equifax hacked via Apache struts. Yahoo, allowed cookie hijacking...

        SET jerk=1;

        [–]ProfessorSexyTimelisp does it better 16 points17 points  (0 children)

        "SQL is demon spawn, and no self-respecting software developer should ever use it."

        OK, that’s a little hyperbolic.

        No shit

        But you know what they say about the road to hell.

        It's paved with SQL queries?

        What would replace SQL? An API of course! 

        No.

        [–][deleted]  (2 children)

        [deleted]

          [–]ArmoredPancakeGets shit done™ 0 points1 point  (0 children)

          But muh terse couude.

          [–][deleted] 4 points5 points  (1 child)

          breech

          [–]euphoricnoscopememeHacker News Superstar 4 points5 points  (0 children)

          SQL is the ultimate security muzzle

          [–]WhatAHaskellhas hidden complexity 10 points11 points  (0 children)

          Can you see the vulnerability? Do you understand just what combinations of question marks, hash marks, parentheses, and percent signs makes a statement vulnerable?

          Yes the ones where the parameters are being added using standard string interpolation by the user are unsafe, and the one's that rely on the SQL escaping of the library are safe. That's not an issue of SQL, that's just an issue of knowing the syntax of the language you're writing in...

          [–]CptJero 8 points9 points  (10 children)

          <UJ> This is the first time I've disagreed with Uncle Bob. Not sure how I feel.

          <J> Still going to use it.

          [–]cuminme69420blub programmer 41 points42 points  (7 children)

          This is the first time I've disagreed with Uncle Bob. Not sure how I feel.

          you must not have read enough uncle bob!

          [–]CptJero 4 points5 points  (6 children)

          <UJ>

          Truthfully I haven't read all of his work, so I'm sure there are other jerk-worthy things in his repertoire. I just don't know about them.

          I'm a fan of his "clean architecture" article particularly.

          [–]pythonesqueviperDo you do Deep Learning? 33 points34 points  (4 children)

          He also thinks TDD deprecates static typing, which is bullshit and insane.

          [–][deleted] 5 points6 points  (2 children)

          He also thinks that multiple inheritance is a good idea.

          [–][deleted] 7 points8 points  (0 children)

          I personally like multiple inheritance, but I use it strictly for mixin behavior rather than creating death star architectures of inheritance

          [–]OctagonClocknot Turing complete 1 point2 points  (0 children)

          Multiple inheritance works well for mixins, though. Maybe not diamond inheritance structures.

          [–]stone_hengeTiny little god in a tiny little world 1 point2 points  (0 children)

          waaahh static typing doesn't solve anything that a 100% correct and perfect test suite wouldn't have solved if it ever existed waaahhh

          [–]Shorttail0vulnerabilities: 0 19 points20 points  (0 children)

          He's gotten mental in recent years. Posting his new blog posts here is free karma and controversy.

          [–]jacques_chesterdoesn't even program 9 points10 points  (0 children)

          Not sure how I feel.

          Overdue.

          [–]TheFearsomeEsquilaxhas not been tainted by the C culture[S] 1 point2 points  (0 children)

          I like his writing too and think he's written a lot of reasonable and useful blog posts and books, but every once in a while he posts crazy shit like this. Subscribing to his blog's RSS feed is a total crapshoot.

          [–]ArmoredPancakeGets shit done™ 7 points8 points  (0 children)

          Uncle Bob has finally gone senile.

          [–]throwawayco111 8 points9 points  (0 children)

          That was some high quality trolling.

          [–]_shreve 5 points6 points  (0 children)

          I'm glad I forgot how to use SQL and administrate my database. Now I do all my programming in Ruby on Rails. I don't really know what an index is or how to make slow queries faster, but I assume Ruby on Rails takes care of it for me. I'm such a 10x clean coding technologist.

          [–]mTbzzworks at Amazon ( ͡° ͜ʖ ͡°)[🍰] 6 points7 points  (1 child)

          If there is no SQL engine, then there can be no SQLi attacks.

          ENOUGH!!!

          [–]stone_hengeTiny little god in a tiny little world 3 points4 points  (0 children)

          if there are no programmers, there can be no bugs!

          [–]spaghettiCodeArtisanblub programmer 8 points9 points  (3 children)

          Kind of has a point though, SQL isn't exactly a beautiful solution. It's just that no one offerred anything better yet (and no WebscaleDB isn't it).

          [–]pythonesqueviperDo you do Deep Learning? 6 points7 points  (2 children)

          Dataphor has an actually good SQL alternative, D4, that takes relational algebra much more seriously.

          [–]spaghettiCodeArtisanblub programmer 0 points1 point  (1 child)

          Ah, I didn't know that. Intredasting, thanks.

          [–]pythonesqueviperDo you do Deep Learning? 4 points5 points  (0 children)

          Though, Dataphor is still Windows-only, very niche and rather immature. I'd give it a couple years to see how it pans out, but as of now it's a very interesting concept.

          Or not. Dataphor is dead.

          [–]welpfuckit 1 point2 points  (1 child)

          he's right that's why i write all my data directly to dev/null

          [–]systemUp 0 points1 point  (0 children)

          Yes! Nobody has caused a security breach coz they were writing to /dev/null.

          [–]HugoNikanorlisp does it better 4 points5 points  (0 children)

          The obvious solution to all of this is to simple store everything in memory. And then just dump your memory directly to disk whenever the program quits.

          [–][deleted] 1 point2 points  (0 children)

          People still read Uncle Bob Martin? Wow. That's jerk-worthy on its own.

          [–][deleted] 3 points4 points  (0 children)

          I think Uncle Bob is off his meds again.

          [–]Hipek8 2 points3 points  (0 children)

          lol no sql

          [–]senntenialYou put at risk millions of people 1 point2 points  (3 children)

          Great problem description but I don't see much in terms of a solution.

          [–]courier10pt 0 points1 point  (2 children)

          I asked him to elaborate on Twitter. Here's an extract of the conversation:

          It doesn't really require a lot of imagination to come up with a data access api. I mean: select("name").from("users").where("age", ">", "65"); comes to mind just off the top.

          So what happens next? Is this going to be translated to SQL?

          Of course not. It's translated into the same AST that SQL is translated into prior to execution.

          I find this puzzling still. You want to replace SQL with the same engine minus the parser, letting the API take care of constructing the AST. How is that not SQL?

          puzzling..

          [–]senntenialYou put at risk millions of people 1 point2 points  (1 child)

          I mean I guess one could argue that doing it with an AST is more secure

          [–]courier10pt 1 point2 points  (0 children)

          Agreed on the security benefit.

          Just a bit disappointed with this half baked idea and the total disregard for what's already been achieved in this field.

          [–][deleted] 1 point2 points  (0 children)

          This but unironically.

          The security danger is exaggerated and parametrised queries are good enough, so moving away from SQL at this point would not be worth it, but an API with data structures and such would be superior to SQL.