On 9/12/06, loufoque <mathias.gaunard@etu.u-bordeaux1.fr> wrote:
Scott Meyers wrote :
> > An example:
> > System.Data.SqlClient.SqlParameter is a class that describes a bound
> parameter used in a database statement. Bound parameters are essential
> to prevent SQL injection attacks. They should be exceedingly easy to use
> since the "competition" (string concatenation of parameters into the SQL
> statement) is easy, well understood, and dangerous.
You can construct safe SQL queries with streams or printf-like syntax easily
id = "2 ; delete from persons ;"
sql << "select first_name, last_name, date_of_birth "
"from persons where id = " << id
Someone just deleted your persons table. Oops.
No need to put objects everywhere that complexify everything.
_______________________________________________
Boost-users mailing list
Boost-users@lists.boost.org
http://lists.boost.org/mailman/listinfo.cgi/boost-users