Path: ...!weretis.net!feeder8.news.weretis.net!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: Niklas Karlsson <nikke.karlsson@gmail.com>
Newsgroups: alt.folklore.computers,comp.os.linux.misc
Subject: Re: The joy of FORTRAN
Date: 4 Mar 2025 14:53:40 GMT
Organization: Department of Redundancy Department
Lines: 45
Message-ID: <m2oifkFf2nnU1@mid.individual.net>
References: <cxicnVzg_cn_eGX7nZ2dnZfqnPadnZ2d@earthlink.com>
 <vppj5n$33b82$4@dont-email.me> <m2clmbFl430U10@mid.individual.net>
 <m2dp4gF577vU2@mid.individual.net>
 <TeucnZgT9qpy_F_6nZ2dnZfqnPGdnZ2d@giganews.com>
 <vpujqm$5g9r$2@dont-email.me>
 <V82cnbblIbFrdF76nZ2dnZfqn_udnZ2d@giganews.com>
 <m2ld72Fhq3U1@mid.individual.net> <vq4hik$1bvqe$4@dont-email.me>
 <m2mdm6F5c4eU2@mid.individual.net> <vq52ov$1f9re$3@dont-email.me>
 <794451758.762727703.370029.peter_flass-yahoo.com@news.eternal-september.org>
 <JcpxP.90419$l0_4.90044@fx43.iad>
 <U8ucnSHoTMX25lv6nZ2dnZfqn_adnZ2d@giganews.com>
 <m2nkn3Fap9pU1@mid.individual.net> <vq6h7p$1q495$10@dont-email.me>
 <m2o9qiFdodmU2@mid.individual.net> <vq721q$1t6uf$4@dont-email.me>
X-Trace: individual.net 5728YFul3J5hmMKA5ZzDhQCdy44FiKhQEr+lkV/maUKKRzTeDM
Cancel-Lock: sha1:yE0IhVVS+S4WzX1zaHaLINP1j9w= sha256:qUzIK8Isk6QbymAv2NMXfl2sJVNfkAZik+cr+tM+4R4=
User-Agent: slrn/1.0.3 (Linux)
Bytes: 3735

On 2025-03-04, The Natural Philosopher <tnp@invalid.invalid> wrote:
> On 04/03/2025 12:25, Niklas Karlsson wrote:
>> On 2025-03-04, The Natural Philosopher <tnp@invalid.invalid> wrote:
>>> On 04/03/2025 06:25, rbowman wrote:
>>>> On Mon, 3 Mar 2025 23:02:44 -0500, c186282 wrote:
>>>>
>>>>>      It's easy to kinda drift into that during development, you always
>>>>>      think of ONE more thing you need to pass. However stage two, you put
>>>>>      all that crap in a struct and pass one pointer. Each function can
>>>>>      extract what it needs from that struct and ignore the rest.
>>>>
>>>> I never made it to anywhere close to 60 parameters. We did have one
>>>> utility that took 22 command line parameters but it was never meant to be
>>>> invoked manually and came with a csh. Even then they all were stuffed into
>>>> a struct before the real function was called.
>>>>
>>>> Even worse, the parameters were field widths in a positional record. I
>>>> truly hate positional records but the damn things live on.
>>> len=sprintf(query,"insert into day set
>>> timestamp='%s',demand='%f',frequency='%f',coal='%f',nuclear='%f',ccgt='%f',ocgt='%f',french_ict='%f',
>>> irish_ict='%f', dutch_ict='%f', ew_ict= '%f',
>>> pumped='%f',hydro='%f',wind='%f',oil='%f',other='%f', north_south='%f',
>>> scotland_england='%f', solar='%f', biomass='%f', nemo='%f',ifa2='%f',
>>> nsl='%f', intelec_ict='%f',vkl_ict=%f",
>>> 		timestr,total,frequency,coal,
>>> nuclear,ccgt,ocgt,france,ireland,holland,ew,pumped,hydro,wind,oil,other,north_south,scotland_england,
>>> solar, biomass,nemo,ifa2,nsl,intelec,vkl );
>> 
>> Not a terribly safe way to build a query. Any database API worth its
>> salt should have a way to build one with placeholders instead, so the
>> parameters automatically get special characters escaped and are
>> generally safer from malicious data.
>> 
> Silly boy. The data is precisely known, and it is all floating point 
> numbers.

I see a %s in there, and you are far too trusting. It's not like making
a placeholder call is any more difficult anyhow.

Niklas
-- 
"Vir! You are not biologically equipped to handle fast food."
"I know, I know, but it .. it tastes so great going down. Coming up again it's
not so terrific, but--"
            -- Londo and Vir in Babylon 5:"Meditations on the Abyss"