[PD] [psql] object hand-holding
Jamie Bullock
jamie at postlude.co.uk
Mon Dec 10 10:21:55 CET 2007
On Sun, 2007-12-09 at 21:47 -0500, Mathieu Bouchard wrote:
> On Sun, 9 Dec 2007, Jamie Bullock wrote:
>
> > Then I persuaded him that passing the queries as a list to the inlet
> > would be more flexible. It also greatly reduces the number of objects
> > required to send a query, if you have more than one query.
>
> I don't understand the latter part. How does it work? I'm talking about
> putting any number of queries together in a single object and passing the
> arguments of those queries all together in a list. How can you reduce the
> number of objects more than that?
The way you are suggesting always requires at least 2 objects per query:
an object to build the query and a message to send it. So if you have 5
different queries (I mean with different statements not just different
data), then you would need at least 10 objects. This would be the case
even if there was no variable data in the queries. Using the [psql] way
of doing things, provided that the queries have no variable atoms, only
6 objects would be required, one for the database connection, and 5
containing the queries, which when passed to the connection object also
trigger the sending.
> Your way takes at least two objects
> instead of one and it does not provide any protection against SQL
> injection because it can't distinguish between a symbol passed as a SQL
> argument and a symbol representing part of the statement syntax itself.
True, this is a good argument for the [expr]-style SQL object. Although
there may be other ways to provide some protection against injection
like allowing the user to lock the number of statements in the query.
Jamie
--
www.postlude.co.uk
More information about the Pd-list
mailing list