From: | decibel <decibel(at)decibel(dot)org> |
---|---|
To: | Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com> |
Cc: | Merlin Moncure <mmoncure(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, "David E(dot) Wheeler" <david(at)kineticode(dot)com>, Pg Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: RfD: more powerful "any" types |
Date: | 2009-09-14 23:05:10 |
Message-ID: | B8568D89-6B44-4EE3-B936-A1D2F59E1C0E@decibel.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sep 14, 2009, at 1:02 PM, Pavel Stehule wrote:
> 2009/9/14 Merlin Moncure <mmoncure(at)gmail(dot)com>:
>> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule
>> <pavel(dot)stehule(at)gmail(dot)com> wrote:
>>>> How is it any worse than what people can already do? Anyone who
>>>> isn't aware
>>>> of the dangers of SQL injection has already screwed themselves.
>>>> You're
>>>> basically arguing that they would put a variable inside of
>>>> quotes, but they
>>>> would never use ||.
>>>
>>> simply - people use functions quote_literal or quote_ident.
>>
>> you still have use of those functions:
>> execute sprintf('select * from %s', quote_ident($1));
>>
>> sprintf is no more or less dangerous than || operator.
>
> sure. I commented different feature
>
> some := 'select * from $1'
>
> regards
> Pavel
>
> p.s. In this case, I am not sure what is more readable:
>
> execute 'select * from ' || quote_ident($1)
>
> is readable well too.
Ahh... the problem is one of fixating on an example instead of the
overall use case.
More examples...
RETURN 'Your account is now $days_overdue days overdue. Please
contact your account manager ($manager_name) to ...';
And an example of how readability would certainly be improved...
sql := $$INSERT INTO cnu_stats.$$ || v_field_name || $$( $$ ||
v_field_name || $$ )
SELECT DISTINCT $$ || v_field_name || $$
FROM chunk t
WHERE NOT EXISTS( SELECT * FROM cnu_stats.$$ || v_field_name
|| $$ s WHERE s.$$
|| v_field_name || $$ = t.$$ || v_field_name || $$ )$$
becomes
sql := $$INSERT INTO cnu_stats.${v_field_name} ( ${v_field_name} )
SELECT DISTINCT $v_field_name
FROM chunk t
WHERE NOT EXISTS( SELECT * FROM cnu_stats.${v_field_name} s
WHERE s.${v_field_name} = t.$
{v_field_name} )$$
Granted, that example wouldn't be too bad with sprintf, but only
because everything is referencing the same field.
--
Decibel!, aka Jim C. Nasby, Database Architect decibel(at)decibel(dot)org
Give your computer some brain candy! www.distributed.net Team #1828
From | Date | Subject | |
---|---|---|---|
Next Message | David Fetter | 2009-09-14 23:23:58 | Re: Feature Request: JSON input for hstore |
Previous Message | Jeff Davis | 2009-09-14 23:05:06 | Re: Feature Request: JSON input for hstore |