Re: Data type to use for primary key

From: Pierre-Frédéric Caillaud <lists(at)boutiquenumerique(dot)com>
To: pgsql-performance(at)postgresql(dot)org
Subject: Re: Data type to use for primary key
Date: 2004-11-23 16:45:27
Message-ID: opshxfh1ibcq72hf@musicbox
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-performance


> All,
> Well, you should still escape any strings you're getting from a web
> page so
> you can ensure you're not subject to a SQL insert attack, even if you're
> expecting integers.
> Thanks,
> Peter Darley

Well, your framework should do this for you :

"integer" specified in your database object class description
"%d" appears in in your generated queries (or you put it in your hand
written queries)
=> if the parameter is not an integer, an exception is thrown, then
catched, then an error page is displayed...

Or, just casting to int should throw an exception...

Forms should be validated, but hidden parameters in links are OK imho to
display an error page if they are incorrect, after all, if the user edits
the get or post parameters, well...

In response to

Browse pgsql-performance by date

  From Date Subject
Next Message Merlin Moncure 2004-11-23 17:06:47 Re: [pgsql-hackers-win32] scalability issues on win32
Previous Message Alexandre Leclerc 2004-11-23 16:29:45 Re: Data type to use for primary key