Re: Protection from SQL injection

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tino Wildenhain <tino(at)wildenhain(dot)de>
Cc: Thomas Mueller <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-29 15:05:54
Message-ID: 48173952.6000103@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tino Wildenhain wrote:
> Hi,
>
>> In C the best practice is to use #define for constants. In C++ you
>> have 'const', in Java 'static final'. Unfortunately the 'named
>> constant' concept doesn't exist in SQL. I think that's a mistake. I
>> suggest to support CREATE CONSTANT ... VALUE ... and DROP CONSTANT
>> ..., example: CREATE CONSTANT STATE_ACTIVE VALUE 'active'.
>
> of course you mean:
>
> CREATE CONSTANT state_active TEXT VALUE 'active'; ? ;)

Why does he mean that? Manifest constants are not typed in plenty of
languages.

>
> interesting idea, would that mean PG complaints on queries
>
> SELECT state_active FROM sometable ... because
> state_active is already defined as constant?

Right, this would be a major can of worms. The only way it could work, I
suspect, is by segregating the identifier space to remove ambiguity
between constants and other identifiers.

cheers

andrew

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Aidan Van Dyk 2008-04-29 15:23:04 Re: Protection from SQL injection
Previous Message Alvaro Herrera 2008-04-29 14:59:17 pgsql: Remove typename from A_Const.