Talk:String interpolation

The PHP example uses a   /x41   ('41'x)   and indicates it should show a capital A.
This would be true only for ASCII computers, not for EBCDIC. -- GerardSchildberger (talk) 20:23, 23 December 2012 (UTC)[reply]

As more languages are added to the list, should they be placed in alphabetic order to make finding/perusing them easier? -- GerardSchildberger (talk) 20:35, 23 December 2012 (UTC)[reply]

I think the section in security issues should be removed. The reason is that it has nothing to do with string interpolation. You get the same problem when you do simple concatenation (as it already says in the article) ie:

 query = "SELECT x, y, z FROM Table WHERE id='".$id."' ";

No difference at all. So actually I'm just going to remove the section myself right now. Fresheneesz (talk) 10:21, 27 December 2012 (UTC)[reply]

So I decided not to remove it myself, I want to get a second on this. If someone else agrees with me, I urge you to remove the section. Fresheneesz (talk) 10:23, 27 December 2012 (UTC)[reply]

Don't remove. It's a huge security issue. Concatenation is a runtime code execution security hole. String interpolation is a static text data security hole. A string interpolation problem could lie dormant in a database field for _years_ until it's finally triggered. Also, depending on the language or data form, the string interpolation could be _nested_, recursively expanding into something very nasty and totally opaque to surface analysis. Concatenation is like A=B+C, whereas string interpolation is like A=function(B,C), where function could be defined to be anything. Damon Simms (talk) 04:18, 19 March 2014 (UTC)[reply]