[PD] [psql] object hand-holding

Hans-Christoph Steiner hans at eds.org
Mon Dec 10 17:47:45 CET 2007 

On Dec 10, 2007, at 4:21 AM, Jamie Bullock wrote:

>
> On Sun, 2007-12-09 at 21:47 -0500, Mathieu Bouchard wrote:
>> On Sun, 9 Dec 2007, Jamie Bullock wrote:
>>
>>> Then I persuaded him that passing the queries as a list to the inlet
>>> would be more flexible. It also greatly reduces the number of  
>>> objects
>>> required to send a query, if you have more than one query.
>>
>> I don't understand the latter part. How does it work? I'm talking  
>> about
>> putting any number of queries together in a single object and  
>> passing the
>> arguments of those queries all together in a list. How can you  
>> reduce the
>> number of objects more than that?
>
> The way you are suggesting always requires at least 2 objects per  
> query:
> an object to build the query and a message to send it. So if you  
> have 5
> different queries (I mean with different statements not just different
> data), then you would need at least 10 objects. This would be the case
> even if there was no variable data in the queries. Using the [psql]  
> way
> of doing things, provided that the queries have no variable atoms,  
> only
> 6 objects would be required, one for the database connection, and 5
> containing the queries, which when passed to the connection object  
> also
> trigger the sending.

>> Your way takes at least two objects
>> instead of one and it does not provide any protection against SQL
>> injection because it can't distinguish between a symbol passed as  
>> a SQL
>> argument and a symbol representing part of the statement syntax  
>> itself.
>
> True, this is a good argument for the [expr]-style SQL object.  
> Although
> there may be other ways to provide some protection against injection
> like allowing the user to lock the number of statements in the query.

For a place where you are expecting a number, you can protect against  
a SQL injection attack by merely putting a [float] before the message  
box with the SQL in it.  In other situations, I think that Perl has a  
pretty decent idea: a "SQL quote" function.  This could easily be a  
Pd object, [sqlquote], which would work with all of the SQL objects.  
This would probably be the easiest to implement.

SQL Placeholders seem like a good idea, and SQL already has a  
defined, documented, and  supported syntax for SQL placeholders.   
Ruby, Perl, Java, PHP and others use it, and I think we should use it  
too. Since we already have an inlet that is designed to accept only  
SQL.  There seems to be two defined as part of SQL, "?" for generic,  
and ":name" for named placeholders.

- the "?" could be supported by sending lists to the hot inlet. So if  
there were three "?" in the SQL statement, then you'd send a [5 Joe  
1239.2( to the hot inlet.

- the names ones could be supported as selectors to the hot inlet:

[insert into table (name,age) values (:name,:age) (     <--- cold inlet
[name Lila(                                             <--- hot inlet
[age 12(                                                <--- hot inlet

Then the SQL quoting would be handled internally to the Pd object.  I  
added examples of this to the interface sketch, it's attached.  This  
part could be safely implemented later, I think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sql-interface.pd
Type: application/octet-stream
Size: 7072 bytes
Desc: not available
URL: <http://lists.puredata.info/pipermail/pd-list/attachments/20071210/acbeda65/attachment.obj>
-------------- next part --------------


This way, the object represents the database itself, the object's  
arguments can represent the connection to the database, then  
different queries are represented using messages sent to the database  
object.  That seems to mirror conceptually what's actually happening.

Lastly, I know that this is getting more complicated to implement,  
but I think it'll pay off in the end.  I'll happily help out with the  
implementation if either of you want me too.  Also, once this is  
ironed out, I'd like to port the Max/MSP [mysql] object to whatever  
interface we come up with.

.hc


------------------------------------------------------------------------ 
----

Computer science is no more related to the computer than astronomy is  
related to the telescope.      -Edsger Dykstra

More information about the Pd-list mailing list