this post was submitted on 27 Dec 2023
547 points (96.9% liked)
Programmer Humor
19503 readers
652 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I actually like this. This would allow reuse of all the infrastructure we have around XML. No more SQL injection and dealing with query parameters? Sign me up!
Assuming it's built well. As someone else pointed out, it doesn't look quite right here.
So you mean like parameterized queries, which exist?
Better than parameterized queries. Yes, we have stuff like
query("INSERT INTO table(status, name) VALUES ($1, $2);").bind(ent.status).bind(ent.name).execute...
, but that's kind of awful isn't it? With XML queries, we could use any of the XML libraries we have to create and manipulate XML queries without risking 'XML injection'. e.g we could convert ordinary structs/classes into column values automatically without having to use any ORM.I mean, that's just a bad library interface. With a halfway decent interface, you can do something like
No orm required. With tagged templates in JS, you can do
Even wrap it in a function with destructuring to get rid of
ent
:Typescript can add type safety on top of that, of course. And there's the option to prepare a query once and execute it multiple times.
Honestly, the idea of manipulating XML queries, if you mean anything more fancy than the equivalent of parameter injection, sounds over-complicated, but I'd love to see a more concrete example of what you mean by that.
I was thinking along the lines of
Plenty of libraries can build the XML using structs/classes. e.g. with serde:
Or with jackson-dataformat-xml:
I don't do JS (yet) but maybe JSX could also do similar things with XML queries.
No more matching $1, $2, ... (or
?
for mysql) with individual columns, I could dump entire structs/objects into a query and it would work.