I would like to use postgresql-simple for my database access layer in my application and i was wondering what the best method would be for dynamically building my sql queries. A simple example of what i would want to accomplish would be the following:
A user has a series of filters than can apply to the things they are searching:
- Number of pets
- Name of pet
- When pet was created
- etc
How should i handle composing the filters such that i dont make myself susceptible to attacks. My frst instinct would be that i would need to only worry about String/Text data since i can check that the number that comes in is actually a number and the date supplied is actually a date. Using the following format:
makeNumberOfPetsFragment :: String -> Either String String
makeNumberOfPetsFragment candidate =
case createStatement of
Left _ -> Left "Error creating number of pets filter"
Right x -> Right ("WHERE number_of_pets = " ++ (show x))
where createStatement = readEither candidate :: Either String Int
I'm not sure if this is just a bad approach or if it would be better to just use existing libraries or if there is a better approach in pre made statements that i just am not thinking about.