[PD] [psql] object hand-holding
Mathieu Bouchard
matju at artengine.ca
Mon Dec 10 18:18:38 CET 2007
On Mon, 10 Dec 2007, Jamie Bullock wrote:
> The way you are suggesting always requires at least 2 objects per query:
> an object to build the query and a message to send it.
I assumed that there would always be one variable part per query, so that
there's always a float or symbol or list coming from somewhere to trigger
the query. Some queries take no arguments but in my experience they are
rather exceptional. So in the usual case it takes 1 object per query, and
if the statement is completely non-variable, it takes a bang coming from
somewhere, which could be counted as a "bang" messagebox or not, depending
on how you count.
> Using the [psql] way of doing things, provided that the queries have no
> variable atoms,
This almost *never* happens. As long as what you do in Pd is regular
read-write activities involving tables that contain data that you only
want to see a small part of at a time, you need variable atoms in almost
any query:
select person from attendance where chatroom=?
select chatroom from attendance where person=?
select * from users where user=?
select * from chatrooms where chatroom=?
apps more likely to have invariable queries are apps that started small,
stayed small, and will never be expanded.
> True, this is a good argument for the [expr]-style SQL object. Although
> there may be other ways to provide some protection against injection
> like allowing the user to lock the number of statements in the query.
checking the number of statements is not enough: what about a value like:
(including quotes)
'or'1
put inside this statement:
delete from users where username='$1'
this query will delete the complete table.
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
More information about the Pd-list
mailing list