Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Tino Wildenhain <tino(at)wildenhain(dot)de>
Cc: Thomas Mueller <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-29 15:05:54
Message-ID: 48173952.6000103@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers

Tino Wildenhain wrote:
> Hi,
>
>> In C the best practice is to use #define for constants. In C++ you
>> have 'const', in Java 'static final'. Unfortunately the 'named
>> constant' concept doesn't exist in SQL. I think that's a mistake. I
>> suggest to support CREATE CONSTANT ... VALUE ... and DROP CONSTANT
>> ..., example: CREATE CONSTANT STATE_ACTIVE VALUE 'active'.
>
> of course you mean:
>
> CREATE CONSTANT state_active TEXT VALUE 'active'; ? ;)

Why does he mean that? Manifest constants are not typed in plenty of 
languages.

>
> interesting idea, would that mean PG complaints on queries
>
> SELECT state_active FROM sometable ... because
> state_active is already defined as constant?

Right, this would be a major can of worms. The only way it could work, I 
suspect, is by segregating the identifier space to remove ambiguity 
between constants and other identifiers.

cheers

andrew


In response to

Responses

pgsql-hackers by date

Next:From: Aidan Van DykDate: 2008-04-29 15:23:04
Subject: Re: Protection from SQL injection
Previous:From: Alvaro HerreraDate: 2008-04-29 14:59:17
Subject: pgsql: Remove typename from A_Const.

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group