Add an advice to docs to use .toParams() over .toString()

[Suor]

Or even suggest that .toString() is for debugging purposes only as values are not escaped by actual backend.

[prust]

@Suor: Due to security concerns? Maybe along with a mention of SQL injection attacks and a link to https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements ?

[Suor]

Yes, and not only security. People came to me with issues several times
when database was not understanding query stringification.

In one case it was even custom type that just db library understands by
it's own hooks.

27 окт. 2016 г. 22:23 пользователь "Peter Rust" notifications@github.com
написал:

@Suor https://github.com/Suor: Due to security concerns? Maybe along
with a mention of SQL injection attacks and a link to
https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements ?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#90 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AARVx6HLTWjp68OZ_X1YHYVG-2jqvXJRks5q4MIGgaJpZM4Kh7r2
.

[prust]

@Suor: I see, good to know. I can add something to the "Use" sections on the readme & the docs, as well as a mention in the .toString() & .toParams() documentation.

[Suor]

Thanks.

[prust]

Thanks for encouraging me to do this @Suor, addressed in b38c07b.