PROPOSAL: Templated Construction Expressions (i.e., Expressions Embedded in Strings)

John Rose John.Rose at Sun.COM
Tue Mar 31 16:58:19 PDT 2009 

On Mar 30, 2009, at 10:37 PM, rssh at gradsoft.com.ua wrote:

>> On Mar 20, 2009, at 1:50 PM, John Rose wrote:
>>
>> I wrote up something more specific, for the sake of this go-around.
>> It is generic and pluggable enough to provide some help with XML
>> templating, and SQL construction.
>>
>
> 1. Whith SQL constructions exists a problem:  existence of such  
> template
> string parameters provoke programmers to use it instead host variables
> in queries, which cause performance problems and SQL injection  
> problems.

Because this is a general template mechanism, and *not* merely a  
string constructor, it is *not* vulnerable to SQL injection.  The  
string segments and interpolations are processed by different factory  
methods (appendText vs. append), so an SQL query factory is free to  
restrict and check the interpolated arguments.

See the XML example in the proposal; it shows how a two-phase factory  
API can first compile and check a template, and then apply it.

> So, for example, in many PHP guidelines exists rule do not use "- 
> strings
> for SQL.
>
> 2. Also, I can't understand, how this construction will be useful  
> without
> multiline strings.

You are right; thanks.  There is a need at least for C's "foo\n\bar"  
or "foo\n" "bar".

If triple-quote (or some equivalent) happens, it would have to be  
applied to templated constructors as well as literals, giving the  
equivalent of here-files.

> 3. COMPABILITY - this breaks all code with use $ in string literals.  
> (Or I
> read something incorrectly ?)   So better prefix such string with
> something. (may be yet one '$' or '@' ?)

You read incorrectly.  Template constructor expressions are distinct  
from string literals.  They are prefixed with the token "new".

> 4. Why just not call this parser from some method ?  I. e. what  
> arguments
> for including string templates in language itself, instead library  
> call ?

The usual:  Sugar like that can help API designers build APIs whose  
code is more maintainable:  Less noisy.  Template-based systems are  
popular for a reason.

-- John

More information about the coin-dev mailing list