[PD] [psql] object hand-holding

Mike McGonagle mjmogo at gmail.com
Mon Dec 10 16:55:37 CET 2007


On Dec 10, 2007 3:21 AM, Jamie Bullock <jamie at postlude.co.uk> wrote:

>
> On Sun, 2007-12-09 at 21:47 -0500, Mathieu Bouchard wrote:
> > On Sun, 9 Dec 2007, Jamie Bullock wrote:
> >
> > > Then I persuaded him that passing the queries as a list to the inlet
> > > would be more flexible. It also greatly reduces the number of objects
> > > required to send a query, if you have more than one query.
> >
> > I don't understand the latter part. How does it work? I'm talking about
> > putting any number of queries together in a single object and passing
> the
> > arguments of those queries all together in a list. How can you reduce
> the
> > number of objects more than that?
>
> The way you are suggesting always requires at least 2 objects per query:
> an object to build the query and a message to send it. So if you have 5
> different queries (I mean with different statements not just different
> data), then you would need at least 10 objects. This would be the case
> even if there was no variable data in the queries. Using the [psql] way
> of doing things, provided that the queries have no variable atoms, only
> 6 objects would be required, one for the database connection, and 5
> containing the queries, which when passed to the connection object also
> trigger the sending.


Well, Jamie, at the same time, I think that Mathieu might be refering how
the output is handled from the 'sql' external. That is the part that would
make having just a single instance of a database object difficult at best to
work with. From some of the early tests that I have done, I have pretty much
always assumed that each instance would be outputing a different result set.
If you only used one database object, you would have to figure out how to
route all the result sets.


>
>
> > Your way takes at least two objects
> > instead of one and it does not provide any protection against SQL
> > injection because it can't distinguish between a symbol passed as a SQL
> > argument and a symbol representing part of the statement syntax itself.
>
> True, this is a good argument for the [expr]-style SQL object. Although
> there may be other ways to provide some protection against injection
> like allowing the user to lock the number of statements in the query.


Could someone please explain that IMPORTANCE of worrying about SQL
injection? Just how would it effect users of PD?

Mike


>
>
> Jamie
>
>
>
> --
> www.postlude.co.uk
>
>
> _______________________________________________
> PD-list at iem.at mailing list
> UNSUBSCRIBE and account-management ->
> http://lists.puredata.info/listinfo/pd-list
>



-- 
Peace may sound simple—one beautiful word— but it requires everything we
have, every quality, every strength, every dream, every high ideal.
—Yehudi Menuhin (1916–1999), musician
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-list/attachments/20071210/69e042e0/attachment.htm>


More information about the Pd-list mailing list