EP templates for Mojo::Pg

Question

EP templates for Mojo::Pg

Closed this issue 8 years ago · 6 comments

How about addon to use .ep templates for queries?
Example of named parameters:

$db->query('insert into names (name) values (<%= $name %>)', name => 'Sara');

Full support for perl will make it possible to build queries:

$db->query(q{
    select 
         *
    from 
        names
    where
        <% if(defined $name) { %>
            "name" = <%= $name %>
        <% } elseif( defined $id ) { %>
            "id" = <%= $id %>
        <% } %>
}, id => 1);

Answer 1 · 2016-07-31T12:53:42.000Z

If you need something like this you can of course use Mojo::Template directly. That said, this is just begging to get sql-injection-attacked by people who don't understand what that is. I'm going to preemptively close this as I would see it as nearly a security issue if Mojo::Pg allowed this.

Answer 2 · 2016-07-31T16:33:53.000Z

Suggested approach could also use placeholders instead of directly using values.

Answer 3 · 2016-07-31T17:53:45.000Z

Placeholders already exist. The only reason I can imagine for using templates is to do things that placeholders do not allow, like picking a column name dynamically for example (as the OP does).

Answer 4 · 2016-07-31T20:00:54.000Z

@jberger You're right about the sql-injection, so you can not directly use the Mojo::Template. It needs a hack to replace the values in the ?.

Answer 5 · 2016-07-31T20:03:28.000Z

If I try to make these templates. What namespace is better to use for the package?

Answer 6 · 2016-07-31T20:24:19.000Z

I highly HIGHLY recommend prototyping this off of CPAN (as in, try it in a real application before putting it online). I consider any exploration of this kind of module to be really dangerous. Anyway this isn't the right place to discuss a new module, please either continue it on the universe mailing list (brand new!) https://groups.google.com/forum/#!forum/mojolicious-universe or else on prepan.