Re: [PATCHES] Fw: Isn't pg_statistic a security hole - Solution Proposal

Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> IMHO, nextval() isn't the greatest interface in the world. I do like the
> alternative (deprecated?) syntax sequence.nextval() because of the
> notational resemblence to OO.

Try "nonexistent". I too would like a notation like that, because it
would be more transparent to the user w.r.t. case folding and such.
But it doesn't exist now.

Observe, however, that such a notation would work well only for queries
in which the sequence/table name is fixed and known when the query is
written. I don't see a way to use it in the case where the name is
being computed at runtime (eg, taken from a table column). So it
doesn't really solve the problem posed by has_table_privilege.

> As I understand it, currently
> relation.function(a, b, c)
> ends up as being a function call
> function(relation, a, b, c)
> where the first argument is "text".

Sorry, that has nothing to do with reality. What we actually have is
an equivalence between the two notations
rel.func
func(rel)
where the semantics are that an entire tuple of the relation "rel" is
passed to the function. This doesn't really gain us anything for the
problem at hand (and we'll quite likely have to give it up anyway when
we implement schemas, since SQL has very different ideas about what
a.b.c means than our current parser does).

regards, tom lane