olivier I added
http://www.squeaksource.com/PostgresV3/
and the link sent by stefan to your table.
we should check if it is working in Pharo.
Stef
Le 10/1/15 10:46, olivier auverlot a écrit :
SQL support is very poor in Pharo and many improvements are necessary.
PostgresV2 is actually probably the best solution available because it
is written only in Pharo and works on many platforms. The framework
does the work but it's a limited solution.
Olivier ;-)
2015-01-10 10:09 GMT+01:00 stepharo <[email protected]
<mailto:[email protected]>>:
May be this is the time to improve this package :)
I'm sorry I have no DB experience.
As part of the consortium agenda for this year we have
- better ffi
- better db support
Stef
Le 10/1/15 02:06, David Carlos Manuelda a écrit :
I've installed and tested PostgresV2 under pharo with the
following doits
Gofer new
smalltalkhubUser: 'PharoExtras' project: 'PostgresV2';
configuration;
load.
(#ConfigurationOfPostgresV2 asClass project version: '2.4') load
While it works good, it is missing a very important feature
from both
security and performance point of view: The prepared statements.
As a brief, prepared statements are parameterized SQL
statements that are
loaded ONCE per connection instead of sending the whole query
to DB every
time, and also, they are parameterized, so it completelly
prevents SQL
injection, as the parameters are automatically 'detected' and
scaped and/or
handled accordingly without allowing in any case a parameter
to alter the
SQL meaning, which can happen by using regular SQL queries
made by string
concatenation.
I browsed the class and did not find any prepare: method nor
anything
similar.
Also, you can give a name to a SQL sentence, which makes the
code much more
readable without messing too much logic with SQL commands and
string
concatenation.
An example is as follows: (supposing we have an instance variable
connection, already initialized and connected via PGConnection
class)
Instead of:
self connection execute: 'SELECT data FROM mytable WHERE
name=''', anUser
userName, ''';'.
Would be something like this:
self connection executePrepared: 'getUserData' with: anUser
userName.
And another suggestion could be something like:
self connection prepare: 'getUserData' withSQL: 'SELECT data
FROM mytable
WHERE name=$1'
Any plan for this to be implemented or any hint to other
PostgreSQL class
that already has it?
David.
P.S. I've written in my blog about this some time ago:
http://stormbyte.blogspot.com.es/2012/06/programming-with-database-using.html
if someone finds it useful.
