Re: Protection from SQL injection

From: Tino Wildenhain <tino(at)wildenhain(dot)de>
To: Andrew Dunstan <andrew(at)dunslane(dot)net>
Cc: Thomas Mueller <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-30 14:47:56
Message-ID: 4818869C.8010508@wildenhain.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andrew Dunstan wrote:
>
>
> Tino Wildenhain wrote:
>> Hi,
>>
>>> In C the best practice is to use #define for constants. In C++ you
>>> have 'const', in Java 'static final'. Unfortunately the 'named
>>> constant' concept doesn't exist in SQL. I think that's a mistake. I
>>> suggest to support CREATE CONSTANT ... VALUE ... and DROP CONSTANT
>>> ..., example: CREATE CONSTANT STATE_ACTIVE VALUE 'active'.
>>
>> of course you mean:
>>
>> CREATE CONSTANT state_active TEXT VALUE 'active'; ? ;)
>
> Why does he mean that? Manifest constants are not typed in plenty of
> languages.

Well but in this case we want them to prevent easy sql injection and
therefore arbitrary macro expansion like in those "plenty of languages"
does not seem like a good idea to me.

Cheers
Tino

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Thomas Mueller 2008-04-30 15:22:50 Re: Protection from SQL injection
Previous Message Tom Lane 2008-04-30 14:30:14 Re: Proposed patch - psql wraps at window width