Re: [Kepler-Project] Parameterized queries

Fri, 11 Dec 2009 13:42:35 -0800 

Javier Guerra wrote:

On Fri, Dec 11, 2009 at 4:07 PM, Paul Bohme <kepler-proj...@bohme.org> wrote:

As I see it, the thing is nearly perfect for my uses except for embedding
untrusted data in code..  Tweak that little bit of missing code and it's
perfect.


prepared statements and parameter bindings is the sane and safe way to
do it.  but _ONLY_ if you use the real deal, as provided by the RDBMS,
not if you mangle the sql string, trying to do some string
quoting-escaping, etc.

  



Parameter bindings and prepared statements aren't always joined.  In the 
Postgres API, they're different things.  The same approach can be used 
for a simplified API - pass it a query with placeholders in it, and a 
table of values to bind.  The call returns a result set exactly as the 
simplified API does now.



i don't use PostgreSQL regularly, so i don't know if it supports named
parameters.  if not, then bad luck. the client code is no place to add
that.

  


It supports numbered parameters, which is close but not quite usable.


Now, if you're talking about a separate much larger project, I'd be more
inclined to agree.. ;-)

    


well, the first two parts (driver and LuaSQL) are already in place.
the only missing thing is parameters support, which should be provided
by the driver (some already do) and supported by the agnostic layer
(missing).

the big trouble is that in the name of API unification, most projects
suggest things like that: add named parameters when it's missing, and
numbered when the converse; or trying to replace parameter syntaxes...
it's all wrong.  the agnostic layer MUST respect the RDBMS dialect of
SQL, not try to make it 'nicer', or 'more like the others'

  



In the case of the work I've done with ls_postgres.c, not so much 
'nicer' as it makes it 'usable'.  ;-)  As the changes to the SQL are 
cosmetic - simply mapping a set of names to numbers - I'm OK with it.  
It's totally understandable that others (Javier) that are dead-set 
against *any* manipulation - and I'm OK with that too.  Both can be 
handled with minimal effort.


 -P


_______________________________________________
Kepler-Project mailing list
Kepler-Project@lists.luaforge.net
http://lists.luaforge.net/cgi-bin/mailman/listinfo/kepler-project
http://www.keplerproject.org/






















					Reply via email to