From: | Tino Wildenhain <tino(at)wildenhain(dot)de> |
---|---|
To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
Cc: | Thomas Mueller <thomas(dot)tom(dot)mueller(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Protection from SQL injection |
Date: | 2008-04-30 14:47:56 |
Message-ID: | 4818869C.8010508@wildenhain.de |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Andrew Dunstan wrote:
>
>
> Tino Wildenhain wrote:
>> Hi,
>>
>>> In C the best practice is to use #define for constants. In C++ you
>>> have 'const', in Java 'static final'. Unfortunately the 'named
>>> constant' concept doesn't exist in SQL. I think that's a mistake. I
>>> suggest to support CREATE CONSTANT ... VALUE ... and DROP CONSTANT
>>> ..., example: CREATE CONSTANT STATE_ACTIVE VALUE 'active'.
>>
>> of course you mean:
>>
>> CREATE CONSTANT state_active TEXT VALUE 'active'; ? ;)
>
> Why does he mean that? Manifest constants are not typed in plenty of
> languages.
Well but in this case we want them to prevent easy sql injection and
therefore arbitrary macro expansion like in those "plenty of languages"
does not seem like a good idea to me.
Cheers
Tino
From | Date | Subject | |
---|---|---|---|
Next Message | Thomas Mueller | 2008-04-30 15:22:50 | Re: Protection from SQL injection |
Previous Message | Tom Lane | 2008-04-30 14:30:14 | Re: Proposed patch - psql wraps at window width |