Re: Protection from SQL injection
| От | Gurjeet Singh |
|---|---|
| Тема | Re: Protection from SQL injection |
| Дата | |
| Msg-id | 65937bea0804301011v1b990437p46f175eea1c496fb@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Protection from SQL injection ("Thomas Mueller" <thomas.tom.mueller@gmail.com>) |
| Ответы |
Re: Protection from SQL injection
|
| Список | pgsql-hackers |
On Wed, Apr 30, 2008 at 8:52 PM, Thomas Mueller <thomas.tom.mueller@gmail.com> wrote:
Maybe we can extend the SQL's WITH clause do declare the constant along with the query, and not separate from the query.
WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
and let postgres allow literals only in the WITH clause.
Also, IMHO, the type of the expression should be automatically deduced. The right hand side should be an expression and not just a string or numeric literal. For eg. the above query can be written as:
WITH
CONSTANT c_jobrole = 'clerk',
CONSTANT c_deptname = 'FINANCE'::text,
CONSTANT c_dept = (SELECT dname FROM dept WHERE dname = c_deptname)
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
so the expression can be CAST'd into appropriate type wherever needed.
Best regards,
--
gurjeet[.singh]@EnterpriseDB.com
singh.gurjeet@{ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
Mail sent from my BlackLaptop device
Hi,
Constants are just convenience: instead of constants, user defined
functions can be used. This already works, however it's a bit verbose:
CREATE FUNCTION STATE_ACTIVE() RETURNS VARCHAR AS
$$ BEGIN RETURN 'active'; END; $$ LANGUAGE PLPGSQL;
Usage is almost the same:
SELECT * FROM USERS WHERE STATE=STATE_ACTIVE();This is _not_ macro expansion as in C '#define'. Constants are typed,
> therefore arbitrary macro expansion like in those "plenty of languages"
> does not seem like a good idea to me.
as in C++ 'const' and Java 'static final'. The question is only:
should the user explicitly state the data type, or should the data
type be deduced from the value. Both is possible:
CREATE CONSTANT STATE_ACTIVE VALUE 'active';
CREATE CONSTANT STATE_ACTIVE TEXT VALUE 'active';
Maybe we can extend the SQL's WITH clause do declare the constant along with the query, and not separate from the query.
WITH CONSTANT c_jobrole = 'clerk', CONSTANT c_dept = 10
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
and let postgres allow literals only in the WITH clause.
Also, IMHO, the type of the expression should be automatically deduced. The right hand side should be an expression and not just a string or numeric literal. For eg. the above query can be written as:
WITH
CONSTANT c_jobrole = 'clerk',
CONSTANT c_deptname = 'FINANCE'::text,
CONSTANT c_dept = (SELECT dname FROM dept WHERE dname = c_deptname)
SELECT * FROM emp WHERE jobrole = c_jobrole and deptno = c_dept;
so the expression can be CAST'd into appropriate type wherever needed.
--
gurjeet[.singh]@EnterpriseDB.com
singh.gurjeet@{ gmail | hotmail | indiatimes | yahoo }.com
EnterpriseDB http://www.enterprisedb.com
Mail sent from my BlackLaptop device
В списке pgsql-hackers по дате отправления: