[postmodern-devel] query

Drew Crampsie drewc at tech.coop
Sat Jan 29 20:49:57 UTC 2011 

On 29 January 2011 04:15, Haris <fbogdanovic at xnet.hr> wrote:
> I made query like this:
>
> (sql (:select '* :from 'kupci :where (:and
> (:raw (if 'ime (sql (:like 'ime (concat-string "%" (parameter "ime") "%")))
> t))

What exactly do you think (if 'symbol ....) is doing? Why?

> (:raw (if 'prezime (sql (:like 'prezime (concat-string "%" (parameter
> "prezime") %"))) t)))))

 (if 'prezim ....) , unless i'm seriously misunderstanding :raw, is
also useless and will always return the true.

>
> but it doesn't work.

I think you're mixing up the differences between Common Lisp and
S-SQL. They are not the same language and have drastically different
methods of evaluation. Do you know how lisp macros work?

(macroexpand '(s-sql:sql (:raw (if 'foo 'bar 'bar))))

=>
(IF 'FOO
    'BAR
    'BAR)


> For example, if (:like ...) for 'ime field passes and 'prezime field is
> null,
> record will not be selected.

> Is the test (if 'prezime ...) ok to test that the field is not null ?

No, that's cl:if, and knows nothing about the database. There is no IF
expression in SQL.

SQL has a test for not null... in s-sql i think it's pronounced (:not
(:is-null 'ime)) :

(macroexpand '(s-sql:sql (:not (:is-null 'ime))))
=>
"(not (ime IS NULL))"

> Or do I have to do something like (if (/= 'prezime nil) ...) ?

I'm not at all sure why you think this work work either.... do you
understand the difference between the SQL macro and CL code? :RAW
simply evaluates CL code to a string and inserts that.

Also, if that's hunchentoot:parameter i see up there, you're in a lot
more trouble then i thought. Google 'sql injection' to find out why.

Basically, i think it's a good idea to learn common lisp before
attempting to use embedded macro languages. On Lisp is available free
and has an in-depth treatment of macros... practical common lisp is
also an excellent option.

Until you're comfortable with macros, you might just want to use
(SANTIZED!) strings to store your queries... it seems that the SQL
macro has left you very confused. Alternately, rather then writing
code in a language you don't understand, spend some time learning
Common Lisp before jumping into application development.

Finally, if you're going to develop web applications, or _any_
application that has users, always validate and sanitize your input
before using it. please.


Cheers,

drewc

>
>
> _______________________________________________
> postmodern-devel mailing list
> postmodern-devel at common-lisp.net
> http://common-lisp.net/cgi-bin/mailman/listinfo/postmodern-devel
>

More information about the postmodern-devel mailing list