-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Query builder #182
Comments
Hi 👋 Is the string concatenation approach safe? I would assume "sql injection"-like attacks are possible? |
In general, it is not. Like with SQL, interpolating unsanitized user input into EdgeQL queries might lead to "EdgeQL injection". Thus, you must always pass input as query arguments. That said, composing queries from non-arbitrary string pieces is just fine, e.g:
Naturally, this isn't the most ergonomic approach, so we are looking to build generated clients to compose queries in a type-safe manner. |
Ah, alright. Weird though. I tried using the arguments in insertions and it didn't work:
Using this in a Not even possible to use it in Which is annoying, because |
|
Cool, thanks for letting me know! A better API, or something like sqlc, would be amazing. Will be following the project, edgedb looks great! :) |
@diogox thanks for creating this issue. Due to the lack of documentation I also followed the string concatenation method from looking at the test files and I also came across the issue that Execute does not take any arguments either. Still I solved my issues by following the advice from @elprans. Definitely looking forward to the query builder, when it becomes available. 👍 |
As opposed to sqlc, perhaps code-generating the SDK similar to entgo.io would be possible? ent is in my opinion the strongest golang ORM purely based on the fully typed CRUD and hooks and etc. Not all of this would be possible given edgeDB is not entirely the same concept, but following in the footsteps of ent and creating a codegenned-SDK from the source schema instead of from documents like sqlc would be a big difference in my opinion. |
Something better than string concatenation for dynamic query construction.
The text was updated successfully, but these errors were encountered: