> I’m curious about binding as an idea. I never used SQLite 1 or 2. Was > binding originally done to avoid security vulnerability or was that just > the result of implementing it for some other reason ?
If you are talking about things other than SQLite (which is very new to the scene as computerized DBMS goes), binding was done as a consequence of the EXEC SQL interface of most programming languages and how SQL was compiled into programming source code. Before the early versions of Sybase (1990's era) there was no such thing as "Dynamic SQL" where an SQL text statement was passed to the DBMS (as a string) to be prepared "dynamically". SQL statements were embedded directly in the source programming language using an EXEC SQL (or other pre-compiler directive). A pre-processor "extracted" the SQL statements, compiled (prepared) them, and stored them as parameterized packages in the database itself, and generated "pre-processed" source code which called (interfaced with) those packages. The compilation unit of the EXEC SQL statements and the source program were a single package and you had to recompile the whole kit-and-kaboodle to re-optimize the SQL Query itself (some DBMS would allow you to "rebind" an existing package without recompiling from source -- though that was a "feature" much later added, probably in the mid to late 80's). Twenty years on Sybase came along in the 1990's and supported dynamic statement preparation -- effectively using a dynamic "prepare" passed a string value to dynamically create the package to be executed and requiring the programmer to "manually create" the package binding code in the source. This is the interface that is everywhere now. The EXEC SQL interface has all but disappeared in most languages (though there was an interim period in the 90's where the EXEC SQL preprocessor would generate code which created a dynamic interface to the DBMS). Then along came the standardized CLI interfaces which used the prepare/bind/step/fetch model in use today. Some called it the CLI (IBM/Oracle/Sybase) and others called it things like ODBC. But they are all the same with very few differences. When the EXEC SQL preprocessors went "out of favour", as it were, because the (a) the interface code was easy enough to generate by hand; and, (b) DBMS vendors were too "cheap" to write pre-processors for every language, is when laziness induced bad programming habits introduced the "SQL Infection" vulnerability which prior to the 1990's was impossible to create, even if one wanted to, since the text of the SQL was embedded in the source code and compiled by a pre-processor. There was no way to execute "user provided" SQL statements even if one wanted to. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
