[PD] [psql] object hand-holding

Hans-Christoph Steiner hans at eds.org
Mon Dec 10 22:07:00 CET 2007 

On Dec 10, 2007, at 1:42 PM, Jamie Bullock wrote:

>
> On Mon, 2007-12-10 at 12:18 -0500, Mathieu Bouchard wrote:
>
>>
>> This almost *never* happens. As long as what you do in Pd is regular
>> read-write activities involving tables that contain data that you  
>> only
>> want to see a small part of at a time, you need variable atoms in  
>> almost
>> any query:
>>
>>    select person from attendance where chatroom=?
>>    select chatroom from attendance where person=?
>>    select * from users where user=?
>>    select * from chatrooms where chatroom=?
>>
>> apps more likely to have invariable queries are apps that started  
>> small,
>> stayed small, and will never be expanded.
>
> I take your point, but I think you are exaggerating slightly. I just
> looked at the code for a database driven web app I worked on recently.
> It uses 30 queries, 3 of which have no variables. Out of these three
> only one doesn't 'overlap' with other queries and therefore can't be
> refactored. Maybe 1 in 30 is almost never? Anyhow - I agree that I
> probably can't argue the case for the [psql]-style of operation on the
> grounds of reduced object count :-|
>
>>> True, this is a good argument for the [expr]-style SQL object.  
>>> Although
>>> there may be other ways to provide some protection against injection
>>> like allowing the user to lock the number of statements in the  
>>> query.
>>
>> checking the number of statements is not enough: what about a  
>> value like:
>> (including quotes)
>>
>>    'or'1
>>
>> put inside this statement:
>>
>>    delete from users where username='$1'
>>
>> this query will delete the complete table.
>
> Good point! I think Hans' recent suggestion addresses the problem. It
> also occurs to me that for Postgres at least, we have the PREPARE
> statement, which addresses the optimisation and injection issues you
> have raised. Technically [psql] already supports PREPARE except that
> PREPARE uses the '$' character as its placeholder identifier, and '$1'
> can't be passed around as a symbol in Pd. I think it might be
> interesting to use the '?' notation currently under discussion as an
> interface to PREPARE though.

So PostgreSQL doesn't support placeholders in normal SQL queries?   
That's a bummer.  It seems that those languages that I sited chose  
the Oracle standard for placeholders (? and :name).  According to  
this, MySQL uses ?name and MS SQL Server uses @name.  MySQL can use  
@name if $old_syntax is turned on.  MySQL should use plain "?" but I  
don't know about MS SQL Server (who's really going to use that with  
Pd anyway ;)

http://forums.mysql.com/read.php?38,122041,122187#msg-122187

So the syntax seems to be less standard than I thought.  Man, SQL is  
a mess.

.hc

------------------------------------------------------------------------ 
----

"[W]e have invented the technology to eliminate scarcity, but we are  
deliberately throwing it away to benefit those who profit from  
scarcity."        -John Gilmore

More information about the Pd-list mailing list