<br><br><div class="gmail_quote">On Dec 10, 2007 3:21 AM, Jamie Bullock <<a href="mailto:jamie@postlude.co.uk">jamie@postlude.co.uk</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="Ih2E3d"><br>On Sun, 2007-12-09 at 21:47 -0500, Mathieu Bouchard wrote:<br>> On Sun, 9 Dec 2007, Jamie Bullock wrote:<br>><br>> > Then I persuaded him that passing the queries as a list to the inlet
<br>> > would be more flexible. It also greatly reduces the number of objects<br>> > required to send a query, if you have more than one query.<br>><br>> I don't understand the latter part. How does it work? I'm talking about
<br>> putting any number of queries together in a single object and passing the<br>> arguments of those queries all together in a list. How can you reduce the<br>> number of objects more than that?<br><br></div>The way you are suggesting always requires at least 2 objects per query:
<br>an object to build the query and a message to send it. So if you have 5<br>different queries (I mean with different statements not just different<br>data), then you would need at least 10 objects. This would be the case
<br>even if there was no variable data in the queries. Using the [psql] way<br>of doing things, provided that the queries have no variable atoms, only<br>6 objects would be required, one for the database connection, and 5
<br>containing the queries, which when passed to the connection object also<br>trigger the sending.</blockquote><div><br class="webkit-block-placeholder"></div><div>Well, Jamie, at the same time, I think that Mathieu might be refering how the output is handled from the 'sql' external. That is the part that would make having just a single instance of a database object difficult at best to work with. From some of the early tests that I have done, I have pretty much always assumed that each instance would be outputing a different result set. If you only used one database object, you would have to figure out how to route all the result sets.
</div><div><br class="webkit-block-placeholder"></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br><div class="Ih2E3d"><br><br>> Your way takes at least two objects
<br>> instead of one and it does not provide any protection against SQL<br>> injection because it can't distinguish between a symbol passed as a SQL<br>> argument and a symbol representing part of the statement syntax itself.
<br><br></div>True, this is a good argument for the [expr]-style SQL object. Although<br>there may be other ways to provide some protection against injection<br>like allowing the user to lock the number of statements in the query.
</blockquote><div><br class="webkit-block-placeholder"></div><div>Could someone please explain that IMPORTANCE of worrying about SQL injection? Just how would it effect users of PD?</div><div><br class="webkit-block-placeholder">
</div><div>Mike</div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br><div><div></div><div class="Wj3C7c"><br>Jamie<br><br><br><br>--<br><a href="http://www.postlude.co.uk" target="_blank">
www.postlude.co.uk</a><br><br><br>_______________________________________________<br><a href="mailto:PD-list@iem.at">PD-list@iem.at</a> mailing list<br>UNSUBSCRIBE and account-management -> <a href="http://lists.puredata.info/listinfo/pd-list" target="_blank">
http://lists.puredata.info/listinfo/pd-list</a><br></div></div></blockquote></div><br><br clear="all"><br>-- <br>Peace may sound simple—one beautiful word— but it requires everything we have, every quality, every strength, every dream, every high ideal.
<br>—Yehudi Menuhin (1916–1999), musician