[PD] [psql] object hand-holding

Mathieu Bouchard matju at artengine.ca
Mon Dec 10 18:18:38 CET 2007

On Mon, 10 Dec 2007, Jamie Bullock wrote:

> The way you are suggesting always requires at least 2 objects per query:
> an object to build the query and a message to send it.

I assumed that there would always be one variable part per query, so that 
there's always a float or symbol or list coming from somewhere to trigger 
the query. Some queries take no arguments but in my experience they are 
rather exceptional. So in the usual case it takes 1 object per query, and 
if the statement is completely non-variable, it takes a bang coming from 
somewhere, which could be counted as a "bang" messagebox or not, depending 
on how you count.

> Using the [psql] way of doing things, provided that the queries have no 
> variable atoms,

This almost *never* happens. As long as what you do in Pd is regular 
read-write activities involving tables that contain data that you only 
want to see a small part of at a time, you need variable atoms in almost 
any query:

   select person from attendance where chatroom=?
   select chatroom from attendance where person=?
   select * from users where user=?
   select * from chatrooms where chatroom=?

apps more likely to have invariable queries are apps that started small, 
stayed small, and will never be expanded.

> True, this is a good argument for the [expr]-style SQL object. Although
> there may be other ways to provide some protection against injection
> like allowing the user to lock the number of statements in the query.

checking the number of statements is not enough: what about a value like: 
(including quotes)


put inside this statement:

   delete from users where username='$1'

this query will delete the complete table.

  _ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada

More information about the Pd-list mailing list