[PD] [psql] object hand-holding

Mathieu Bouchard matju at artengine.ca
Thu Dec 13 20:36:35 CET 2007

On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:

> For a place where you are expecting a number, you can protect against a 
> SQL injection attack by merely putting a [float] before the message box 
> with the SQL in it.  In other situations, I think that Perl has a pretty 
> decent idea: a "SQL quote" function.

Perl has also a pretty decent idea, which is to allow placeholders, which 
automatically quotes so that you don't have to do it nor even think about 
it. I rarely ever wrote any Perl code that would access a SQL database in 
any other way than using placeholders. It's for safety but also not to 
have to think about strings, so that using SQL feels most like using an 

I know that you know about Perl's (and most any other's) placeholders, but 
I really mean that one should almost never have to use [sqlquote] at all, 
and things are easier if one doesn't have to use it.

> - the names ones could be supported as selectors to the hot inlet:

what about selectors that conflict with existing functionality of the 
object? e.g. if a column is called "symbol" or whatever... what about 
columns with the same name as methods that will be defined in future 
versions of [psql] ?

  _ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada

More information about the Pd-list mailing list