[PD] [psql] object hand-holding
Mathieu Bouchard
matju at artengine.ca
Fri Dec 21 19:19:29 CET 2007
On Thu, 13 Dec 2007, Mike McGonagle wrote:
> As someone who has never really used Placeholders, the only sorts of
> things that I can see them being useful for are when you need to do a
> lot of inserts or deletes, or for other statements that will be executed
> repeatedly. From what I am gathering by these discussions is that the
> useage of placeholders allows the SQL statement to be "compiled" and
> then with each execution of the statement, the values of the
> placeholders are substituted.
You seem to think of placeholders as something extra that you necessarily
add for improving the speed because inserting text within SQL seems
perfectly normal. This is not the case. From another perspective,
everything that can be abstracted out ought to be abstracted out, and that
means that you don't want to touch SQL syntax with your data, you want to
think of a SQL statement as a function that you call in your main
programming language, you don't want to have to do type conversions and
quoting because that's an aspect of SQL and not of your main programming
language.
> This might be one reason you don't see them all that often in PHP, I would
> imagine that PHP doesn't really do a whole bunch of repetitive stuff.
So far, all successful attacks on my server has been through PHP scripts
that don't quote things properly. For example, embedding text directly
into email headers without regard for email syntax.
> This idea of doing this to make this more PD-like I think would be a waste
> of time, as SQL is pretty simple and a LOT of people already know it. Why
> create another "language"?
Because that other language would be more integrated with pd itself and
integration is good, if it really makes things feel more familiar. You can
witness the importance of this by looking at how much people avoid using
other programming languages with pd (beyond the difficulties in compiling
externals and distributing patches that use code like that).
The big downside of integration is that it usually does not cover the
whole feature set of what is being wrapped, and especially not nonstandard
extensions.
> At the same time, should our external be on the look out for these sorts
> of things? One of the original ideas was to not give the external any,
> if at all, knowledge of SQL. Meaning, it wouldn't "parse" the SQL, nor
> would it try to do any generation of SQL. It just expects that the user
> is HONEST (that is what these concerns over Injection are, right), and
> the SQL they entered is what they meant.
You can't assume that the user is honest, because when you do, you also
assume that the user does not make mistakes when including input from
other sources that can't be assumed to be honest.
> While we can try to protect against various things, those that want to
> be malicious will do so anyway.
This is not true. Every step is important in making it more difficult for
abuse to happen.
_ _ __ ___ _____ ________ _____________ _____________________ ...
| Mathieu Bouchard - tél:+1.514.383.3801, Montréal QC Canada
More information about the Pd-list
mailing list