From: | Sam Mason <sam(at)samason(dot)me(dot)uk> |
---|---|
To: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: design, plpgsql and sql injection in dynamically generated sql |
Date: | 2009-08-17 15:42:14 |
Message-ID: | 20090817154214.GH5407@samason.me.uk |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Mon, Aug 17, 2009 at 12:36:49PM +0200, Ivan Sergio Borgonovo wrote:
> I've several list of items that have to be rendered on a web apps in
> the same way.
[..]
> the nature of the lists and their usage pattern is very different.
> So unless someone come up with a better design I still would like to
> keep the item lists in different tables.
As you've explained it, I'd be tempted to have a function for each
table. You're going to have special code outside the database for each
one, so why not a (small) amount for each one inside the database.
> I'd like to build up a function that takes the name of the table and
> the key to dynamically build up the query... but I don't know what
> should I use to sanitize them.
I'd stay away from this; they may be doing similar things at the moment
but if they really are as different as you seem to suggest then having
them as separate functions would make this easier.
If they really are that similar then you should have all the data in one
table anyway!
--
Sam http://samason.me.uk/
From | Date | Subject | |
---|---|---|---|
Next Message | Chris Barnes | 2009-08-17 15:56:46 | Pgbench tool download |
Previous Message | Bryan Murphy | 2009-08-17 15:23:58 | ERROR: attempted to delete invisible tuple |