[PD] [psql] object hand-holding

Mathieu Bouchard matju at artengine.ca
Mon Dec 10 20:41:46 CET 2007

On Mon, 10 Dec 2007, Mike McGonagle wrote:

> I guess what I am getting at is that I don't see how we can prevent people
> from using this maliciously.

Using true placeholders or other form of automatic quoting.

> If they are creating the SQL and putting the data into it, how can we 
> stop them from being idiots?

If you have automatic quoting, you don't even have to think about who is 
an idiot and who isn't. I don't want to think about who's an idiot and who 
isn't. I don't want you to think about it.

> Are you saying that we need to do data checking prior to the data being 
> sent to the server?

If you quote your data properly then you don't need to check whether the 
data will garble the query's syntax or not. Therefore, no, I don't think 
what you need to do on the data is a "check"... though at the character 
level, you have to "check" in order to know which chars have to be 

  _ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada

More information about the Pd-list mailing list