[PD] [psql] object hand-holding
Mathieu Bouchard
matju at artengine.ca
Mon Dec 10 20:41:46 CET 2007
On Mon, 10 Dec 2007, Mike McGonagle wrote:
> I guess what I am getting at is that I don't see how we can prevent people
> from using this maliciously.
Using true placeholders or other form of automatic quoting.
> If they are creating the SQL and putting the data into it, how can we
> stop them from being idiots?
If you have automatic quoting, you don't even have to think about who is
an idiot and who isn't. I don't want to think about who's an idiot and who
isn't. I don't want you to think about it.
> Are you saying that we need to do data checking prior to the data being
> sent to the server?
If you quote your data properly then you don't need to check whether the
data will garble the query's syntax or not. Therefore, no, I don't think
what you need to do on the data is a "check"... though at the character
level, you have to "check" in order to know which chars have to be
replaced.
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
More information about the Pd-list
mailing list