Terpal icon indicating copy to clipboard operation
Terpal copied to clipboard
verified publisher icon deusaquilus

Fragments interpolation

Open RobertoUa opened this issue 1 year ago • 4 comments

How to inject a raw string and omit interpolation, for example I'd like for f1, f2 to be just injected as string and fun interpolate is not called for them, only for $id

val fr1 = "name, age, pic"
val fr2 = "LEFT JOIN blah .."
sql("SELECT $fr1 FROM users $fr2 WHERE id = $id")

RobertoUa avatar Oct 15 '24 13:10 RobertoUa

I don't allow raw-string injection, that's point. The second I allow raw-string injection you can potentially get SQL-injection vunerabilities. Do you need completely dynamic strings?

deusaquilus avatar Jun 24 '25 21:06 deusaquilus

It works in Doobie. Anyway, I looked at terpal-sql and I found your way to concatenate fragments.

RobertoUa avatar Jun 24 '25 21:06 RobertoUa

Interesting! I didn't know doobie was fine with strings not prefixed with sql"...". I was thinking about introducing a dynamic-string splicing API but an explicit one e.g. sql("....dynamic(...)...").

deusaquilus avatar Jun 24 '25 22:06 deusaquilus

ah, sorry, bad example. What I mean is just concatenating, not thinking about a specific way to do it (prefixing, wrapping, etc). Strings should definitely be prefixed with sql (or fr in doobie). Updated example.

val fr1 = sql("name, age, pic")
val fr2 = sql("AND name = $name") // $name should be interpolated in the final query.
sql("SELECT $fr1 FROM users WHERE id = $id $fr2")

RobertoUa avatar Jun 25 '25 08:06 RobertoUa