[PD] Question about SQL Placeholder Implementation

Mike McGonagle mjmogo at gmail.com
Tue Dec 18 22:49:55 CET 2007

Hello all,
To give you an update on what is happening, I think I will have something to
post tomorrow or the next day. I did diverge from the Object Model
discussed, but that was because I couldn't quite figure out where Hans was
outputting the result sets. It also may turn out to be a good thing, as it
makes it possible to create the Server Object in any window, and the query
objects can be in any other window, and they will still connect up (without
patching). I like this as each query object can be isolated within its own
subpatch, and you don't have to build additional objects just to connect to
the server.

So, I have not quite implemented the Placeholder version of inputting the
SQL, and from reading some more about SQL injection, it sounds like it would
be a good idea if we were to have these inlets created using the specific
type of data to be inserted. This is also probably going to be required, as
the database packages require the binding of a particular data type into
these placeholders. So, we are going to need a means of defining these types
at creation time.

[query <srv_id> insert into mytable (id, name, token) values (?f,'?s','?s')]

In this example, the first placeholder would expect a Float, with the next
two expecting a Symbol (just think of this as a variation on the printf
string substitutions). I am not quite sure if I remember correctly, but it
sounded like Hans wants to set these inlets to be list inlets, but
considering that the databases need to know the specific data types for each
placeholder, I don't think this would be practical.

Also, as the servers I have looked at so far, would expect this string in
the form of

"insert into mytable (id, name, token) values (?, '?', '?')"

The external would be required to strip out the data type character.

Also, from reading these things (
http://en.wikipedia.org/wiki/SQL_injection), it was stated that most
database engines only allow the sending of a
single SQL statement. This is done so that SQL injection can't be used to
create additional statements that are embedded within a Placeholder
replacement. So, this means that I won't get my multiple statement buffer.
(Also, from some tests that I have done, there doesn't have to be a ';'
terminating the statement, as the server appears to assume these things.

Ok, so I am a little all over the board on this, but if you could focus on
the stuff on the Placeholder things, as that is pretty much still to be
implemented, that would be great.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puredata.info/pipermail/pd-list/attachments/20071218/6f1a5310/attachment.htm>

More information about the Pd-list mailing list