[PD] [psql] object hand-holding
Hans-Christoph Steiner
hans at eds.org
Sat Dec 15 00:32:09 CET 2007
On Dec 13, 2007, at 2:36 PM, Mathieu Bouchard wrote:
> On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:
>
>> For a place where you are expecting a number, you can protect
>> against a SQL injection attack by merely putting a [float] before
>> the message box with the SQL in it. In other situations, I think
>> that Perl has a pretty decent idea: a "SQL quote" function.
>
> Perl has also a pretty decent idea, which is to allow placeholders,
> which automatically quotes so that you don't have to do it nor even
> think about it. I rarely ever wrote any Perl code that would access
> a SQL database in any other way than using placeholders. It's for
> safety but also not to have to think about strings, so that using
> SQL feels most like using an array.
>
> I know that you know about Perl's (and most any other's)
> placeholders, but I really mean that one should almost never have
> to use [sqlquote] at all, and things are easier if one doesn't have
> to use it.
>
>> - the names ones could be supported as selectors to the hot inlet:
>
> what about selectors that conflict with existing functionality of
> the object? e.g. if a column is called "symbol" or whatever... what
> about columns with the same name as methods that will be defined in
> future versions of [psql] ?
We can deal with future problems in the future. Right now we need to
get something working to test the ideas we've talked about. :)
.hc
------------------------------------------------------------------------
----
The arc of history bends towards justice. - Dr. Martin Luther
King, Jr.
More information about the Pd-list
mailing list