Hipster your SQL!
-
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
WHY THE FUCK IS THIS EVEN A THING?
-
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
The documentation (such as it is) says that the
{{foobar}}
notation is escaped by mysql. Escaped.
-
@dkf Well, at least it lets MySQL do it, I guess. As opposed to PHP and PDO where the default is for PHP to do the escaping. Because why would we not trust that rather than the RDMBS engine which can do that natively.
-
@Onyx I can think of two reasons, one horrifying, one merely
) As an alternative to using driver-provided prepared statements.
) To assist in building apps that allow users to dynamically build a SQL query and then copy-paste that query into the SQL tool of their choice.
-
@dkf said in Hipster your SQL!:
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
The documentation (such as it is) says that the
{{foobar}}
notation is escaped by mysql. Escaped.
-
To be fair, the syntax looks pretty nice
let template = 'UPDATE foobar SET {{property}} WHERE id = {{id}}' let parameter = {id: 1, property: {foo: 'bar', num: 3.14}} render(template, parameter)
Although it's a very minor change compared to the existing function
connection.query('SELECT * FROM users WHERE id = ?', [userId], function(err, results) {...})
Now, in normal person world, we don't install modules just to make the syntax of a function slightly different. But this is NodeJS, remember? With the left-pad and all that?
-
@Onyx said in Hipster your SQL!:
Well, at least it lets MySQL do it, I guess. As opposed to PHP and PDO where the default is for PHP to do the escaping.
If it was doing it right, it would just be a different syntax for a prepared statement. No big deal; named substituents make those much more readable, and if the moustache syntax is widely known to potential users of this code, it'd be a sensible option to provide as it would get good traction quickly. Escaping is something else entirely, like using that old shoe to hammer in a nail; it'll mostly work, but it's still entirely stupid.
Not as bad as a straight text substitution though. Those puppies are abysmal.
-
@dkf I'm kinda giving the author a benefit of the doubt on the phrasing here, I buttumed it should've been "prepared".
-
@Onyx I checked the source; I'm not sure if it is doing the right thing or not. The code delegates virtually everything to other libraries; the princess is in another castle…
-
@dkf said in Hipster your SQL!:
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
The documentation (such as it is) says that the
{{foobar}}
notation is escaped by mysql. Escaped.The intro blurb says it's escaped by node-mysql, "a node.js driver for mysql... written in JavaScript".
Basically it's a way to have your parameters automatically sanitized and inserted into your query string. That doesn't actually sound too terrible. Much better than hand-rolling it and not sanitizing, or trying to sanitize but sanitizing incorrectly.
@anonymous234 said in Hipster your SQL!:
it's a very minor change compared to the existing function
connection.query('SELECT * FROM users WHERE id = ?', [userId], function(err, results) {...})
You're replacing an ordered list of parameters mapped to
?
characters with an unordered list of named parameters mapped to corresponding{{name}}
strings. I can definitely see how the latter would be easier to manage, because you're not counting and trying to keep things in the right order if there are a lot of parameters. Also, if you use this syntax, "all?
are replaced, even those contained in comments and strings."
-
@dkf said in Hipster your SQL!:
@Onyx I checked the source; I'm not sure if it is doing the right thing or not. The code delegates virtually everything to other libraries; the princess is in another castle…
-
@anotherusername said in Hipster your SQL!:
Also, if you use this syntax, "all ? are replaced, even those contained in comments and strings."
That sounds more like a problem of the MySQL lib than anything else. Also, I use
bind('SELECT * FROM foo WHERE bar = :param1 AND baz = :param2', array('param1' => $val1, 'param2' => $val2))
notation in PHP, don't tell me hipster languages can't handle something like that.
-
-
@Luhmann said in Hipster your SQL!:
@Onyx said in Hipster your SQL!:
WHY THE FUCK IS THIS EVEN A THING?
No idea! But CUTE CAT!
I feel that this is a brilliant opportunity for this.
http://15secondsofomg.com/wp-content/uploads/2014/08/Hamilton-the-Hipster-Cat.png
And on topic!
-
@DogsB
E_TOPHAT_NOT_FOUND
-
-
@DogsB I'll permit it.
-
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
WHY THE FUCK IS THIS EVEN A THING?Edit: Changed to be more fitting
-
-
@Onyx said in Hipster your SQL!:
A NodeJS module that does emulated prepares on SQL queries. Using mustache notation. Because why not?
WHY THE FUCK IS THIS EVEN A THING?
Because hipsters would rather fuck around with bullshit projects that are "cool" rather than do real work. They don't strike me so much as interested in working as developers/programmers/engineers (whatever you want to call them), so much as doing whatever the fuck they want in their chosen space, and expecting to get paid for it.
Putting mustaches on things instead of working? Sure! Why not?! Reinvent the same damn shit that has already been solved a million times, but this time in JS/Node? Of course! Can't use any of that Business/Enterprise stuff, now can we? That would mean one had sold out/stopped being "true to oneself"/a special fucking snowflake.
One day ... one day I will let them promote me to manager. On that day, the hipsters should feel a MASSIVE disturbance in the Force. Because they will BE the millions of voices suddenly crying out in terror, soon to be silenced into the parking lot with a box of their shit, and a surprised look on their faces.
What? Too much? o_O Sorry, need more coffee :D
-
@DogsB said in Hipster your SQL!:
@Onyx said in Hipster your SQL!:
@DogsB
E_TOPHAT_NOT_FOUND
http://i.imgur.com/PoJcqEF.png
Better?
-
@dkf said in Hipster your SQL!:
@Onyx I checked the source; I'm not sure if it is doing the right thing or not. The code delegates virtually everything to other libraries; the princess is in another castle…
I have decided this thread is my new happy place today. I shall setup shop here today. :D
-
@Vaire said in Hipster your SQL!:
Because hipsters would rather fuck around with bullshit projects that are "cool" rather than do real work.
Which is fine until they create the next great SPA forum, and start selling it to suckers.
-
What does it mean by "emulated prepares?" Hopefully it's not doing naive string concatenation and making it look like a prepared statement?
-
@Onyx This is so terrible on so many levels, I can't even
-
This just seems like one of those projects that you put on a resume/cv and show off your hipster cred to other hipster web devs and gain more and more 'likes' on gitbook or facehub or whatever the kids use these days.
-
@Vaire Your righteous indignation is always welcome.
-
@mott555 It's escaping shit on the PHP rather than letting the database driver do it. I guess default being
ON
makes some kind of sense if you're using a driver that doesn't support emulation, but it should turn it off if at all possible. I am not entirely sure if it's smart enough to do it on its own so I always turn it off explicitly in my connection function.
-
@cartman82 The sad part is, I like mustache for web templating (except when you have do tables with it, fucking DOM fuckery). But why the hell would you make another damned layer of abstraction and dependencies just to get mustache syntax in SQL queries is freaking beyond me.
-
-
@Onyx This is prepared statements surely?
command.CommandText = "INSERT INTO Region (RegionID, RegionDescription) " + "VALUES (@id, @desc)"; SqlParameter idParam = new SqlParameter("@id", SqlDbType.Int, 0);
-
I am now tempted to write and publish
mysqli::real_escape_string_mustache
-
@lucas1 An example of them, yes. I think all SQL database interfaces support them nowadays (IIRC, MySQL was the last hold-out and they stopped than nonsense long ago). They're quite a lot more efficient for repeated operations, and a lot less susceptible to SQL injection attacks (i.e., they're not susceptible at all).
-
@dkf I'm actually starting on Kickstarter, I've called it git freakin' book. I'm sure that'll get me a few million so I can
build a mansionwrite the site.
-
@dkf I've almost always used an ORM or something that supports prepared statements so I am safe from SQL-injection.
-
@theBread said in Hipster your SQL!:
@dkf I'm actually starting on Kickstarter, I've called it git freakin' book. I'm sure that'll get me a few million so I can
build a mansionwrite the site.Sounds like effort.
Easier ways.
-
@lucas1 The ORM will (or at least should) be using prepared statements to implement its functionality.
-
@Lorne-Kates Didn't you watch the kickstarter video I posted a while back? You got to put at least a little effort to lure
suckerspotential backers.
-
@dkf Yes I always check this.
This on .NET https://github.com/StackExchange/dapper-dot-net
It is used on Stack-overflow so it is used in real production scenarios. Even though probably Jeff has some input, it works well and is reasonably lightweight.
-
@Onyx said in Hipster your SQL!:
@Vaire Your righteous indignation is always welcome.
Hipsters: I have hand crafted this new take on old ways--
Me: My lawn...
Hipsters: --it is a beautiful representation of what technology could be, if we just take a step back, take a deep breath, and let love into our wor--
Me: GET OFF IT! (╯°□°)╯︵ ┻━┻
-
@lucas1 said in Hipster your SQL!:
Even though probably Jeff has some input
Apparently not, according to the committer list. OTOH, was a major contributor…
-
@Onyx said in Hipster your SQL!:
module that does emulated prepares on SQL queries.
Hey! This sounds like something I can just...
Pre-edit: Why did you correct "use" to "just", keyboard?
-
@theBread said in Hipster your SQL!:
@Lorne-Kates Didn't you watch the kickstarter video I posted a while back?
That sounds like effort.
@theBread said in Hipster your SQL!:
You got to put at least a little effort to lure
suckerspotential backers.That also sounds like effort. I don't want to do anything. I don't care. I'm promising literally nothing.
-
-
-
@Tsaukpaetra Sorry
-
@lucas1 said in Hipster your SQL!:
@Tsaukpaetra Sorry
That's my line, you culture-appropriating shit-tard.
-
@Lorne-Kates Fuck you :D
-
Could be worse - they could be using a query-string parser to parse command line arguments
var parse = require("querystring").parse; var conditions = process.argv.slice(2); var query = conditions.join("&"); var expected = parse(query); for (var env in expected) { if (process.env[env] !== expected[env]) { process.exit(1); } } process.exit(0);
-
@svieira What? No! NO! STAHP!