Re: RfD: more powerful "any" types

Поиск
Список
Период
Сортировка
От decibel
Тема Re: RfD: more powerful "any" types
Дата
Msg-id B8568D89-6B44-4EE3-B936-A1D2F59E1C0E@decibel.org
обсуждение исходный текст
Ответ на Re: RfD: more powerful "any" types  (Pavel Stehule <pavel.stehule@gmail.com>)
Ответы Re: RfD: more powerful "any" types
Список pgsql-hackers
Дерево обсуждения 
On Sep 14, 2009, at 1:02 PM, Pavel Stehule wrote:

> 2009/9/14 Merlin Moncure <mmoncure@gmail.com>:
>> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule  
>> <pavel.stehule@gmail.com> wrote:
>>>> How is it any worse than what people can already do? Anyone who  
>>>> isn't aware
>>>> of the dangers of SQL injection has already screwed themselves.  
>>>> You're
>>>> basically arguing that they would put a variable inside of  
>>>> quotes, but they
>>>> would never use ||.
>>>
>>> simply - people use functions quote_literal or quote_ident.
>>
>> you still have use of those functions:
>> execute sprintf('select * from %s', quote_ident($1));
>>
>> sprintf is no more or less dangerous than || operator.
>
> sure. I commented different feature
>
> some := 'select * from $1'
>
> regards
> Pavel
>
> p.s. In this case, I am not sure what is more readable:
>
> execute 'select * from ' || quote_ident($1)
>
> is readable well too.


Ahh... the problem is one of fixating on an example instead of the  
overall use case.

More examples...

RETURN 'Your account is now $days_overdue days overdue. Please  
contact your account manager ($manager_name) to ...';

And an example of how readability would certainly be improved...

sql := $$INSERT INTO cnu_stats.$$ || v_field_name || $$( $$ ||  
v_field_name || $$ )    SELECT DISTINCT $$ || v_field_name || $$        FROM chunk t        WHERE NOT EXISTS( SELECT *
FROMcnu_stats.$$ || v_field_name  
 
|| $$ s WHERE s.$$            || v_field_name || $$ = t.$$ || v_field_name || $$ )$$

becomes

sql := $$INSERT INTO cnu_stats.${v_field_name} ( ${v_field_name} )    SELECT DISTINCT $v_field_name        FROM chunk t
      WHERE NOT EXISTS( SELECT * FROM cnu_stats.${v_field_name} s                              WHERE s.${v_field_name}
=t.$ 
 
{v_field_name} )$$

Granted, that example wouldn't be too bad with sprintf, but only  
because everything is referencing the same field.
-- 
Decibel!, aka Jim C. Nasby, Database Architect  decibel@decibel.org
Give your computer some brain candy! www.distributed.net Team #1828

В списке pgsql-hackers по дате отправления: