Skip site navigation (1) Skip section navigation (2)

Re: Negative Integers Escaping

From: Marko Kreen <markokr(at)gmail(dot)com>
To: Federico Di Gregorio <federico(dot)digregorio(at)dndg(dot)it>
Cc: psycopg(at)postgresql(dot)org
Subject: Re: Negative Integers Escaping
Date: 2011-05-31 11:47:28
Message-ID: BANLkTikxaDk40r1N2+Cf0PW0gqx4JQE44w@mail.gmail.com (view raw or flat)
Thread:
Lists: psycopg
On Sun, May 29, 2011 at 11:04 PM, Federico Di Gregorio
<federico(dot)digregorio(at)dndg(dot)it> wrote:
> On 28/05/11 01:45, Daniele Varrazzo wrote:
>> On Fri, May 27, 2011 at 8:03 PM, Maxim Avanov <maxim(dot)avanov(at)gmail(dot)com> wrote:
>>> > Hi, Oswoldo. Thanks for reply.
>>>> >> Is a good rule to always put spaces between operators
>>> >
>>> > I agree. It's a good rule but it's neither in SQL nor in Postrges syntax
>>> > rules. And psycopg should guarantee a valid escaping of parameters according
>>> > to all possible and valid syntax rules.
>> There's plenty of space for creating pathological commands. Do you
>> want another one?
>>
>> "select * from blah limit%s"
>>
>> I think in general sticking characters in front of placeholders you
>> don't know how will get filled is not a robust way to write your sql
>> string.
>>
>> I'm -1 about complicating the escaping of simple values just to
>> accommodate artificial problems: fixing this one IMO wouldn't justify
>> the potential problems of backward incompatibilities that may arise.
>
> Sorry, but I don't agree. SQL rules explicitly say that LIMITX is
> invalid for any X because LIMIT should be separated from its argument by
> white space; so you're writing incorrect SQL from the start.
>
> A mathematical expression doesn't need, at least in SQL, any whitespace
> so, writing colname-%s is *correct* and the programmer is correct when
> expects the DB adapter to quote the arguments to make sure they don't
> introduce any new errors in SQL.

And the proper fix is quite well-known: $x placeholders
and Extended Query protocol.

Any other kind of query massaging seems inappropriate.

-- 
marko

In response to

Responses

psycopg by date

Next:From: Daniele VarrazzoDate: 2011-05-31 16:56:11
Subject: Re: Negative Integers Escaping
Previous:From: Daniele VarrazzoDate: 2011-05-30 21:18:12
Subject: Re: Negative Integers Escaping

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group