[PD] [psql] object hand-holding
Mathieu Bouchard
matju at artengine.ca
Thu Dec 13 20:36:35 CET 2007
On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:
> For a place where you are expecting a number, you can protect against a
> SQL injection attack by merely putting a [float] before the message box
> with the SQL in it. In other situations, I think that Perl has a pretty
> decent idea: a "SQL quote" function.
Perl has also a pretty decent idea, which is to allow placeholders, which
automatically quotes so that you don't have to do it nor even think about
it. I rarely ever wrote any Perl code that would access a SQL database in
any other way than using placeholders. It's for safety but also not to
have to think about strings, so that using SQL feels most like using an
array.
I know that you know about Perl's (and most any other's) placeholders, but
I really mean that one should almost never have to use [sqlquote] at all,
and things are easier if one doesn't have to use it.
> - the names ones could be supported as selectors to the hot inlet:
what about selectors that conflict with existing functionality of the
object? e.g. if a column is called "symbol" or whatever... what about
columns with the same name as methods that will be defined in future
versions of [psql] ?
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
More information about the Pd-list
mailing list