[PD] [psql] object hand-holding

Mathieu Bouchard matju at artengine.ca
Thu Dec 13 20:59:43 CET 2007 

On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:

> The other somewhat common style that I saw in my searches was printf patterns 
> (%s, %f, etc).  In Pd, [makefilename], [makesymbol], [sprintf], and perhaps 
> others use this syntax.  The single ? notation seems to be supported by at 
> least these, if you want to call that "specific":  Qt, PerlDBI, Perl's 
> DBD::Pg, RubyDBI, PHP PDO, Java JDBC, MySQL, Oracle.

Well, maybe I shouldn't have said "specific", but when I look at any PHP 
code that I find, it seems that they haven't discovered what's a 
placeholder yet, for example. So, it seems that it's not so universal.

> I think it is quite important to reuse existing syntax rather than 
> introducing new syntax.  Minimal syntax is really one of Pd's biggest 
> strengths.  Since these lines would be pure SQL, I think it would be 
> appropriate to use a common SQL syntax.

If you wanted to reuse existing Pd syntax, you could abstract out SQL 
syntax completely and make a database interface that fully feels like Pd. 
The Rails web framework has something like that.

> I just had a thought, SQL injection relies on being able to send semi-colons 
> in text fields.

This is not true. I have already posted an example in this thread on how 
to delete a whole table using SQL injection without a semicolon.

> You can't transmit a semicolon in a message in Pd,

This is not true. You can't type one in a messagebox, that's all. You can 
make one anytime with [makefilename]. You can edit a pd file and insert a 
sufficiently backslashed semicolon and it will appear.

Also, a non-backslashed semicolon in an objectbox is parsed as a symbol of 
1 character and it is passed as an argument to the newmethod. Calling a 
newmethod is to send a message.

> then no one will ever be able to send a semi-colon to [sqlite]/[psql]. 
> Pd would always interpret the semi-colon before the object received it 
> on its cold inlet. AFAIK, that eliminates basically all of the really 
> bad SQL injection attacks.

Dream on!

  _ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada

More information about the Pd-list mailing list