[PD] [psql] object hand-holding

Hans-Christoph Steiner hans at eds.org
Sat Dec 15 00:32:09 CET 2007

On Dec 13, 2007, at 2:36 PM, Mathieu Bouchard wrote:

> On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:
>> For a place where you are expecting a number, you can protect  
>> against a SQL injection attack by merely putting a [float] before  
>> the message box with the SQL in it.  In other situations, I think  
>> that Perl has a pretty decent idea: a "SQL quote" function.
> Perl has also a pretty decent idea, which is to allow placeholders,  
> which automatically quotes so that you don't have to do it nor even  
> think about it. I rarely ever wrote any Perl code that would access  
> a SQL database in any other way than using placeholders. It's for  
> safety but also not to have to think about strings, so that using  
> SQL feels most like using an array.
> I know that you know about Perl's (and most any other's)  
> placeholders, but I really mean that one should almost never have  
> to use [sqlquote] at all, and things are easier if one doesn't have  
> to use it.
>> - the names ones could be supported as selectors to the hot inlet:
> what about selectors that conflict with existing functionality of  
> the object? e.g. if a column is called "symbol" or whatever... what  
> about columns with the same name as methods that will be defined in  
> future versions of [psql] ?

We can deal with future problems in the future. Right now we need to  
get something working to test the ideas we've talked about. :)



The arc of history bends towards justice.     - Dr. Martin Luther  
King, Jr.

More information about the Pd-list mailing list