[PD] [psql] object hand-holding
matju at artengine.ca
Thu Dec 13 20:36:35 CET 2007
On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:
> For a place where you are expecting a number, you can protect against a
> SQL injection attack by merely putting a [float] before the message box
> with the SQL in it. In other situations, I think that Perl has a pretty
> decent idea: a "SQL quote" function.
Perl has also a pretty decent idea, which is to allow placeholders, which
automatically quotes so that you don't have to do it nor even think about
it. I rarely ever wrote any Perl code that would access a SQL database in
any other way than using placeholders. It's for safety but also not to
have to think about strings, so that using SQL feels most like using an
I know that you know about Perl's (and most any other's) placeholders, but
I really mean that one should almost never have to use [sqlquote] at all,
and things are easier if one doesn't have to use it.
> - the names ones could be supported as selectors to the hot inlet:
what about selectors that conflict with existing functionality of the
object? e.g. if a column is called "symbol" or whatever... what about
columns with the same name as methods that will be defined in future
versions of [psql] ?
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
More information about the Pd-list