[PD] [psql] object hand-holding
Mathieu Bouchard
matju at artengine.ca
Thu Dec 13 20:59:43 CET 2007
On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:
> The other somewhat common style that I saw in my searches was printf patterns
> (%s, %f, etc). In Pd, [makefilename], [makesymbol], [sprintf], and perhaps
> others use this syntax. The single ? notation seems to be supported by at
> least these, if you want to call that "specific": Qt, PerlDBI, Perl's
> DBD::Pg, RubyDBI, PHP PDO, Java JDBC, MySQL, Oracle.
Well, maybe I shouldn't have said "specific", but when I look at any PHP
code that I find, it seems that they haven't discovered what's a
placeholder yet, for example. So, it seems that it's not so universal.
> I think it is quite important to reuse existing syntax rather than
> introducing new syntax. Minimal syntax is really one of Pd's biggest
> strengths. Since these lines would be pure SQL, I think it would be
> appropriate to use a common SQL syntax.
If you wanted to reuse existing Pd syntax, you could abstract out SQL
syntax completely and make a database interface that fully feels like Pd.
The Rails web framework has something like that.
> I just had a thought, SQL injection relies on being able to send semi-colons
> in text fields.
This is not true. I have already posted an example in this thread on how
to delete a whole table using SQL injection without a semicolon.
> You can't transmit a semicolon in a message in Pd,
This is not true. You can't type one in a messagebox, that's all. You can
make one anytime with [makefilename]. You can edit a pd file and insert a
sufficiently backslashed semicolon and it will appear.
Also, a non-backslashed semicolon in an objectbox is parsed as a symbol of
1 character and it is passed as an argument to the newmethod. Calling a
newmethod is to send a message.
> then no one will ever be able to send a semi-colon to [sqlite]/[psql].
> Pd would always interpret the semi-colon before the object received it
> on its cold inlet. AFAIK, that eliminates basically all of the really
> bad SQL injection attacks.
Dream on!
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
More information about the Pd-list
mailing list