search

underscoreio / essential-slick

Essential Slick Pandoc Source
https://underscore.io/books/essential-slick/
39 stars 8 forks source link

Describe inSetBind #98

Open d6y opened 8 years ago

d6y commented 8 years ago

Requested: https://twitter.com/tlockney/status/709212437224906754

jonoabroad commented 8 years ago

I notice he is asking you and not me :P

On 14 March 2016 at 20:09, Richard Dallaway notifications@github.com wrote:

Requested: https://twitter.com/tlockney/status/709212437224906754

— Reply to this email directly or view it on GitHub https://github.com/underscoreio/essential-slick/issues/98#issuecomment-196213760 .

d6y commented 8 years ago

I guess because I've picked up their questions on gitter/SO etc. Feel free to jump in there!

On Tue, 15 Mar 2016 at 09:49 Jonathan Ferguson notifications@github.com wrote:

I notice he is asking you and not me :P

On 14 March 2016 at 20:09, Richard Dallaway notifications@github.com wrote:

Requested: https://twitter.com/tlockney/status/709212437224906754

— Reply to this email directly or view it on GitHub < https://github.com/underscoreio/essential-slick/issues/98#issuecomment-196213760

.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub:

https://github.com/underscoreio/essential-slick/issues/98#issuecomment-196745481

jonoabroad commented 8 years ago

I believe this is a tested methodology

https://www.youtube.com/watch?v=nfWlot6h_JM

On 15 March 2016 at 20:55, Richard Dallaway notifications@github.com wrote:

True. How can I shake them off? :-)

I guess because I've picked up their questions on gitter/SO etc. Feel free to jump in there!

On Tue, 15 Mar 2016 at 09:49 Jonathan Ferguson notifications@github.com wrote:

I notice he is asking you and not me :P

On 14 March 2016 at 20:09, Richard Dallaway notifications@github.com wrote:

Requested: https://twitter.com/tlockney/status/709212437224906754

— Reply to this email directly or view it on GitHub <

https://github.com/underscoreio/essential-slick/issues/98#issuecomment-196213760

.

— You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub:

https://github.com/underscoreio/essential-slick/issues/98#issuecomment-196745481

— You are receiving this because you commented. Reply to this email directly or view it on GitHub:

https://github.com/underscoreio/essential-slick/issues/98#issuecomment-196746727

d6y commented 8 years ago

I'm not sure why there's inSet as well as inSetBind.

Example difference in behaviour:

scala> messages.filter(_.id inSet Set(1,3)).result.statements.mkString
res2: String = select "sender", "content", "id" from "message" where "id" in (1, 3)

scala> messages.filter(_.id inSetBind Set(1,3)).result.statements.mkString
res3: String = select "sender", "content", "id" from "message" where "id" in (?, ?)

Notice inSetBind uses the (?,?) bind values.

inSet looks like a vector for SQL injection, but the String is escaped, so the attack doesn't quite work:

scala> messages.filter(_.sender inSet Set("'); drop table messages;--")).result.statements.mkString
res10: String = select "sender", "content", "id" from "message" where "sender" in ('''); drop table messages;--')
d6y commented 8 years ago

Relating to #9 - inSet/inSetBind queries can't be cached (Compiled) when the set of values are an argument to the query. That's because the SQL would vary based on the number of items in the set.

d6y commented 8 years ago

Also: compare and contrast inSetBind to in. One is for client-side values; the other for anything else.

E.g.,

messages.filter(_.id in messages.map(_.id))