Re: ustring compose escaping capability

[Paul Davis <paul linuxaudiosystems com>]

On Wed, 2008-01-23 at 17:39 +0100, Balazs Scheidler wrote:

> In my humble opinion it is totally wrong in the way you describe.
> 
> Suppose you have 100 different queries, each 2 different arguments (on
> average), you state that calling make_legal_sql() 200 times is a safer
> approach than providing the same functionality in one place in compose?
> 
> I'd bet that everyone would forget at least one make_legal_sql()
> invocation.
> 
> What does make_legal_sql() do in your example? I say that everything it
> does can be done in the escaping mechanism that we described. Under the
> term "escaping" I mean to do whatever transformation on the string
> necessary to make it sane in the specific context.


what happens if I am using compose to build a shell command to be passed
to system, where the rules for escaping are totally different? For
example, in a shell script, you cannot put single quotes "inside" other
single quotes *even if they are escaped". how is compose() supposed to
know this? 

sure, if you want to do ustring::sql_compose() then go ahead, but then
you will also need ustring::python_compose(), ustring::sh_compose(), all
the way down to ustring::some_language_i_have_forgotten_compose().

leave compose to do the job of merging strings; use other code to handle
language-context-specific escaping.

--p