Re: Arrays with Rails?

From: Listmail <lists(at)peufeu(dot)com>
To: "Alexander Presber" <aljoscha(at)weisshuhn(dot)de>, pgsql-general(at)postgresql(dot)org
Subject: Re: Arrays with Rails?
Date: 2007-04-13 11:22:28
Message-ID: op.tqpy7qr5zcizji@apollo13
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, 13 Apr 2007 12:15:30 +0200, Alexander Presber
<aljoscha(at)weisshuhn(dot)de> wrote:

> Listmail schrieb:
>> Then, other languages will make you feel the pain of having to
>> quote all your arguments YOURSELF and provide all results as string.
>> The most famous offender is PHP (this causes countless security
>> holes).
>> I partially did this for PHP. It's a lifesaver. No more
>> addslashes() ! Yay !
>
> What about PEAR MDB2?
> http://pear.php.net/manual/en/package.database.mdb2.php
>
> Is it any good?
>
> Cheers, Alex

Well, the problem with a lot of PHP libraries is that they are written by
people who don't think.

Python's interface for doing a query in your code is close to the ideal,
which should be something like that :
query( "SELECT * FROM duhhh WHERE id=%s AND date < %s", id, date )
(python's API has an extra set of () and it also takes named parameters )

If id is an python integer and date a python datetime object, format
conversion is automatic.
If they are not, first they should be, but whatever error the programmer
makes DOES NOT make a SQL injection. At most psql will complain that you
try to compare a date with something that is not a date, but you don't get
hacked, since in order to put an un-quoted argument into the SQL you have
to do it really on purpose.

Now, I use many database queries in my web applications (so does
everyone), therefore I consider a system that needs me to type a lot of
crap in order to work is DUMB.

PEAR::DB2 says :

$query = 'INSERT INTO tablename (id, itemname, saved_time) VALUES ('
. $mdb2->quote($id, 'integer') .', '
. $mdb2->quote($name, 'text') .', '
. $mdb2->quote($time, 'timestamp') .')';
$res =& $mdb2->query($query);

As you see,
- it's a lot less compact and readable
- it's a pain to use, so I will copypaste code, which is the GREAT EVIL
and a good source of bugs
- you have to repeat the variable types (who cares ?)
- if I am not well awake I may forget to type that crap because I'm sure
the variable is an integer, why bother (but am I really sure ? => get
hacked)

Since PHP has no type for date, a much better way of doing this would be :

query( "INSERT INTO ... VALUES %s,%s,%s", $id, $name,
DB::datetime( $timestamp ) )
with all the basic types being quoted as they come (ie like a string
since postgres doesn't care between 1 and '1'), and a few adapters for
other types (like date).

Also the ORM part of PEAR::DB2 is braindead since the field specifiers
are not objects that you can custmize and derive...

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Ben Trewern 2007-04-13 11:28:24 Re: role passwords and md5()
Previous Message Ben Trewern 2007-04-13 11:14:05 Re: Providing user based previleges to Postgres DB