From: Date: September 27 2008 3:13am
Subject: Re: Regressions with quoting
List-Archive: http://lists.mysql.com/plusplus/7999
Message-Id: <48DD88B1.9060607@pileofstuff.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Warren Young wrote:
> Andrew Sayers wrote:
>> the new
>> selective quoting means that now I have to pass a Query wherever I want
>> quoting to work.
> 
> That's a feature.  MySQL++ shouldn't quote or escape things if it
> doesn't know for a fact that you're building SQL strings and that the
> thing being inserted really needs quoting or escaping.
> 
> (By the way, I think you mean escaping, not quoting.)
> 

Indeed I do, but shouldn't the fact that I put mysqlpp::escape before a
string be quite a strong hint?

I suspect this is the point where you tell me there are half a dozen
ways to do escaping, of which I happen only to know one :)

>> Could we add static member functions that call
>> DBDriver::escape_string_no_conn()?
> 
> Add static methods to what?  And, what method signature do you want to see?

As I wrote that, my instinct was to have some sort of static
mysqlpp::Query::escape_string() alongside the normal ones, as that's
where I would look for them as a user.  Replacing my UI designer hat
with a more library-friendly garment, ordinary mysqlpp::escape_string()
functions with similar signatures to their
mysqlpp::Query::escape_string() counterparts would probably be more
sensible.

> Also, I'm not wild about code using the no-conn escaping method any more
> than necessary.  If you do it without reference to the server's
> character set, you may do it wrong.  AFAIK, there is only one use of the
> no-conn method left in MySQL++, and there's no alternative there.

To be honest, I don't really understand the character set thing.  Are we
talking about UTF-8 vs. Latin-1, or ASCII vs. EBCDIC?  If it's the
former, I'll withdraw my suggestion.  If it's the latter, I'll take my
chances.

> I see why you don't want to call DBDriver::escape_string_no_conn()
> directly, but without knowing where you want on-demand escaping, or how
> that ties in with other string data types, I'm a bit lost as to what you
> really want.  Can you give pseudocode showing how the new interface is
> supposed to work?
> 

In 2.3, I could do something like this:

std::ostream& shared_sql_fragment(std::ostream& o, ...)
   return o
	<< "WHERE " << mysqlpp::quote << foo
	<< " = '" << mysqlpp::escape << bar << "'";
}

Then call shared_sql_fragment() everywhere I wanted an SQL fragment of
the relevant format.  Using an ostream let me pass in an ostringstream
if I wanted to compile the string ahead of time.  I'm assuming it's too
late to get that exact functionality back, but something like this still
seems practical:

std::ostream& shared_sql_fragment(std::ostream& o, ...)
   mysqlpp::escape_string(foo);
   mysqlpp::escape_string(bar);
   return o
	<< "WHERE '" << foo << "' = '"  << bar << "'";
}

	- Andrew