From: | Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> |
---|---|
To: | pgsql-sql(at)postgresql(dot)org |
Subject: | Re: Protection from SQL injection |
Date: | 2008-04-27 12:22:53 |
Message-ID: | 20080427142253.449de600@dawn.webthatworks.it |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
On Sun, 27 Apr 2008 12:38:48 +0200
Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> wrote:
> Once you've developers that are so patient to write stuff like:
>
> "select a.id, b.name from a join b on b.id=a.id where
> a.status='pending' and b.id>7 and b.status='logged'"
>
> into
>
> "select a.id, b.name from a join b on b.id=a.id where
> a.status=? and b.id>? and b.status=?", 'pending', 7, 'logged'
>
> there are high chances they will prefer to spend some of their time
> actually thinking about what they are writing.
[snipped here and there]
> Prepared statements force you to match input with position and it is
> definitively error prone.
It'd be nice to have a wrapper that let you write prepared statements
this way:
"select a.id, b.name from a join b on a.id=b.id where
a.status=$variable1 and b.id>$variable2 etc... but that's a pretty
good change to any language parser.
Maybe it could be obtained by use of macro...
That will turn
new_query("select a.id, b.name from a join b on a.id=b.id where
a.status=$variable1 and b.id>$variable2");
into
pg_prepare('anonymous', 'select a.id, b.name from a join b on
a.id=b.id where a.status=$1 and b.id>$2');
pg_execute('anonymous',array($variable1,$variable2));
but aren't macro evil
Still it would be handy.
--
Ivan Sergio Borgonovo
http://www.webthatworks.it
From | Date | Subject | |
---|---|---|---|
Next Message | Jean-David Beyer | 2008-04-27 13:01:11 | Curious about wide tables. |
Previous Message | Ivan Sergio Borgonovo | 2008-04-27 10:38:48 | Re: Protection from SQL injection |