Re: Protection from SQL injection

Tino Wildenhain wrote:
> Hi,
>
>> In C the best practice is to use #define for constants. In C++ you
>> have 'const', in Java 'static final'. Unfortunately the 'named
>> constant' concept doesn't exist in SQL. I think that's a mistake. I
>> suggest to support CREATE CONSTANT ... VALUE ... and DROP CONSTANT
>> ..., example: CREATE CONSTANT STATE_ACTIVE VALUE 'active'.
>
> of course you mean:
>
> CREATE CONSTANT state_active TEXT VALUE 'active'; ? ;)

Why does he mean that? Manifest constants are not typed in plenty of 
languages.

>
> interesting idea, would that mean PG complaints on queries
>
> SELECT state_active FROM sometable ... because
> state_active is already defined as constant?

Right, this would be a major can of worms. The only way it could work, I 
suspect, is by segregating the identifier space to remove ambiguity 
between constants and other identifiers.

cheers

andrew