[PD] [psql] object hand-holding
Hans-Christoph Steiner
hans at eds.org
Sat Dec 15 00:40:46 CET 2007
On Dec 13, 2007, at 3:50 PM, Mike McGonagle wrote:
>
>
> On Dec 13, 2007 1:59 PM, Mathieu Bouchard <matju at artengine.ca> wrote:
> On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote:
>
> > The other somewhat common style that I saw in my searches was
> printf patterns
> > (%s, %f, etc). In Pd, [makefilename], [makesymbol], [sprintf],
> and perhaps
> > others use this syntax. The single ? notation seems to be
> supported by at
> > least these, if you want to call that "specific": Qt, PerlDBI,
> Perl's
> > DBD::Pg, RubyDBI, PHP PDO, Java JDBC, MySQL, Oracle.
>
> Well, maybe I shouldn't have said "specific", but when I look at
> any PHP
> code that I find, it seems that they haven't discovered what's a
> placeholder yet, for example. So, it seems that it's not so universal.
>
> As someone who has never really used Placeholders, the only sorts
> of things that I can see them being useful for are when you need to
> do a lot of inserts or deletes, or for other statements that will
> be executed repeatedly. From what I am gathering by these
> discussions is that the useage of placeholders allows the SQL
> statement to be "compiled" and then with each execution of the
> statement, the values of the placeholders are substituted.
>
> This might be one reason you don't see them all that often in PHP,
> I would imagine that PHP doesn't really do a whole bunch of
> repetitive stuff.
>
>
>
> > I think it is quite important to reuse existing syntax rather than
> > introducing new syntax. Minimal syntax is really one of Pd's
> biggest
> > strengths. Since these lines would be pure SQL, I think it would be
> > appropriate to use a common SQL syntax.
>
> If you wanted to reuse existing Pd syntax, you could abstract out SQL
> syntax completely and make a database interface that fully feels
> like Pd.
> The Rails web framework has something like that.
>
> I don't know about you guys, but my original goal on this was to
> basically allow a user to input SQL and it would return the result
> sets. I just wanted to keep it simple. But I can see a use for
> using Placeholders, especially when you have a lot of data to store
> (and it also kind of "vindicates" my original idea of putting the
> SQL directly in the creation args... [wink, wink, nudge...]).
That's the idea of the [sql_query] object, so we can have both
possibilities, and also support Matju's idea for a expr syntax for
placeholders.
> This idea of doing this to make this more PD-like I think would be
> a waste of time, as SQL is pretty simple and a LOT of people
> already know it. Why create another "language"?
I think there is room for both ideas. I like your idea for [sqlite],
and if someone else wants to make a Pd database syntax, they can do
that also. I don't think there is any conflict in having both.
>
> > I just had a thought, SQL injection relies on being able to send
> semi-colons
> > in text fields.
>
> This is not true. I have already posted an example in this thread
> on how
> to delete a whole table using SQL injection without a semicolon.
>
> At the same time, should our external be on the look out for these
> sorts of things? One of the original ideas was to not give the
> external any, if at all, knowledge of SQL. Meaning, it wouldn't
> "parse" the SQL, nor would it try to do any generation of SQL. It
> just expects that the user is HONEST (that is what these concerns
> over Injection are, right), and the SQL they entered is what they
> meant.
>
> These things being said, I am not adverse to the new design model,
> and I hope to get something up over the weekend.
>
> While we can try to protect against various things, those that want
> to be malicious will do so anyway.
>
> Of course, we could eliminate these problems altogether, and just
> use an embedded database ONLY... (just kidding...)
I agree with you, these objects shouldn't do unnecessary SQL
parsing. I think only the placeholders need to be handled, the rest
can just be passed thru.
The main idea of the placeholder stuff is a straightforward way to
allow for secure database use. It does add some complexity, but I
think we need to do it. Since Pd is being used more and more with
network connection, that means we have to pay more and more attention
to security.
.hc
------------------------------------------------------------------------
----
http://at.or.at/hans/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-list/attachments/20071214/e19488e8/attachment.htm>
More information about the Pd-list
mailing list