On Mar 15, 2007, at 11:31 , Ron Mayer wrote:

Josh Berkus wrote:
And then what? dynamically construct all your SQL queries?
Sure, sounds like a simple solution to me...

Not to mention DB security issues. How do you secure your database when
your web client has DDL access?

So, Edward, the really *interesting* idea would be to come up with a
secure, normalized way to do UDFs *without* EAV tables. People would be
very impressed.

I have a system with many essentially user-defined fields, and was
thinking of creating something similar to an Array type and writing
some GIST indexes for it.

My current workaround is to store them as a YAML document and use
tsearch to index it (with application logic to further refine the
results) - but a EAV datatype that could be put in tables and
effectively indexed would be of quite a bit of interest here.
And yes, a better say to do UDFs would be even cooler.

Out of all the databases that I have used, postgresql offers the most flexible DDL- mostly for one reason: they can operate within transactions.

To handle arbitrary strings as column identifiers, the column names could actually be stripped down to lower-case letters and the "real title" could be stored in a separate table or as column comments.

Mr. Berkus' concern regarding the security implications is already handled by privilege separation or security-definer functions.

The OP's concern about the difficulty about querying a schema structure is alleviated via any number of APIs in Perl, JDBC, etc.

It seems to me that postgresql is especially well-suited to run DDL at runtime, so what's the issue?


---------------------------(end of broadcast)---------------------------
TIP 4: Have you searched our list archives?


Reply via email to