On Dec 13, 2007, at 2:36 PM, Mathieu Bouchard wrote: > On Mon, 10 Dec 2007, Hans-Christoph Steiner wrote: > >> For a place where you are expecting a number, you can protect >> against a SQL injection attack by merely putting a [float] before >> the message box with the SQL in it. In other situations, I think >> that Perl has a pretty decent idea: a "SQL quote" function. > > Perl has also a pretty decent idea, which is to allow placeholders, > which automatically quotes so that you don't have to do it nor even > think about it. I rarely ever wrote any Perl code that would access > a SQL database in any other way than using placeholders. It's for > safety but also not to have to think about strings, so that using > SQL feels most like using an array. > > I know that you know about Perl's (and most any other's) > placeholders, but I really mean that one should almost never have > to use [sqlquote] at all, and things are easier if one doesn't have > to use it. > >> - the names ones could be supported as selectors to the hot inlet: > > what about selectors that conflict with existing functionality of > the object? e.g. if a column is called "symbol" or whatever... what > about columns with the same name as methods that will be defined in > future versions of [psql] ?
We can deal with future problems in the future. Right now we need to get something working to test the ideas we've talked about. :) .hc ------------------------------------------------------------------------ ---- The arc of history bends towards justice. - Dr. Martin Luther King, Jr. _______________________________________________ [email protected] mailing list UNSUBSCRIBE and account-management -> http://lists.puredata.info/listinfo/pd-list
