Simple and safe SQL queries with C++ templates

Joseph (Yossi) Gil, Keren Lenz
2010 Science of Computer Programming  
Most software applications use a relational database for data management and storage. Interaction with such a database is often done by letting the program construct strings with valid SQL statements, which are then sent for execution to the database engine. The fact that these statements are only checked for correctness at runtime is a source for many potential problems such as type and syntax errors and vulnerability to injection attacks. The ARARAT system presented here offers a method for
more » ... aling with these predicaments, by coercing the host C++ compiler to do the necessary checks of the generated strings. A library of templates and preprocessor directives effectively extends C++ with a little language representing an augmented relational algebra formalism. Type checking of this language extension, carried out by our template library, assures, at compile-time, the correctness and safety of the generated SQL strings. That is to say that all SQL statements constructed by the system are syntactically correct, legal with respect to the database schema, and immune to injection attacks. Standard techniques (e.g., "expression templates") for compile time representation of symbolic structures, are enhanced in our system to support a type system (featuring structural equivalence) and a symbol table lookup of the symbolic structure. Our work may also open the way for embedding other domain specific languages in C++. The system provides also initial support for the task of defining C++ data structures required for storing the results returned by database queries. An optional pre-processor can be used to define the database scheme to the C++ program.
doi:10.1016/j.scico.2010.01.004 fatcat:hmttvcfsfvdmniv7pxkjxe4ogq