• akash_rawal@lemmy.world
    link
    fedilink
    arrow-up
    41
    arrow-down
    2
    ·
    11 months ago

    I actually like this. This would allow reuse of all the infrastructure we have around XML. No more SQL injection and dealing with query parameters? Sign me up!

    • CanadaPlus
      link
      fedilink
      English
      arrow-up
      8
      ·
      11 months ago

      Assuming it’s built well. As someone else pointed out, it doesn’t look quite right here.

      • akash_rawal@lemmy.world
        link
        fedilink
        arrow-up
        2
        arrow-down
        1
        ·
        11 months ago

        Better than parameterized queries. Yes, we have stuff like query("INSERT INTO table(status, name) VALUES ($1, $2);").bind(ent.status).bind(ent.name).execute..., but that’s kind of awful isn’t it? With XML queries, we could use any of the XML libraries we have to create and manipulate XML queries without risking ‘XML injection’. e.g we could convert ordinary structs/classes into column values automatically without having to use any ORM.

        • Doc Avid Mornington@midwest.social
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          11 months ago

          I mean, that’s just a bad library interface. With a halfway decent interface, you can do something like

          query('insert into foo (status, name) values (:status, :name)', ent)
          

          No orm required. With tagged templates in JS, you can do

          q`insert into foo (status, name) values (${ent.status}, ${ent.name})`
          

          Even wrap it in a function with destructuring to get rid of ent:

          const addFoo = (q, {status, name}) =>
              q`insert into foo (status, name) values (${status}, ${name})`
          

          Typescript can add type safety on top of that, of course. And there’s the option to prepare a query once and execute it multiple times.

          Honestly, the idea of manipulating XML queries, if you mean anything more fancy than the equivalent of parameter injection, sounds over-complicated, but I’d love to see a more concrete example of what you mean by that.

          • akash_rawal@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            11 months ago

            I was thinking along the lines of

            Plenty of libraries can build the XML using structs/classes. e.g. with serde:

            //Data type for row
            #[derive(serde::Serialize)]
            pub struct Foo {
            	pub status: String,
            	pub name: String,
            }
            
            //Example row
            let ent = Foo {
                status: "paid".into(),
                name: "bob".into(),
            }
            
            //Example execution
            sqlx::query(&serde_xml_rs::to_string(&InsertStmt{
            	table: "foo".into(),
            	value: &ent,
            })?).execute(&conn)?;
            

            Or with jackson-dataformat-xml:

            //Data type for row
            public class Foo {
                public string status;
                public string name;
            }
            
            //Example row
            Foo ent = new Foo();
            foo.status = "paid";
            foo.value = "bob";
            
            //Example execution
            XmlMapper xmlMapper = new XmlMapper();
            String xml = xmlMapper.writeValueAsString(new InsertStmt("foo", ent));
            try (Statement stmt = conn.createStatement()) {
                stmt.executeUpdate(xml)
            }
            

            I don’t do JS (yet) but maybe JSX could also do similar things with XML queries.

            No more matching $1, $2, … (or ? for mysql) with individual columns, I could dump entire structs/objects into a query and it would work.