Skip site navigation (1) Skip section navigation (2)

Re: Data type to use for primary key

From: Pierre-Frédéric Caillaud <lists(at)boutiquenumerique(dot)com>
To: pgsql-performance(at)postgresql(dot)org
Subject: Re: Data type to use for primary key
Date: 2004-11-23 16:45:27
Message-ID: opshxfh1ibcq72hf@musicbox (view raw, whole thread or download thread mbox)
Lists: pgsql-performance
> All,
> 	Well, you should still escape any strings you're getting from a web  
> page so
> you can ensure you're not subject to a SQL insert attack, even if you're
> expecting integers.
> Thanks,
> Peter Darley

	Well, your framework should do this for you :

	"integer" specified in your database object class description
	"%d" appears in in your generated queries (or you put it in your hand  
written queries)
	=> if the parameter is not an integer, an exception is thrown, then  
catched, then an error page is displayed...

	Or, just casting to int should throw an exception...

	Forms should be validated, but hidden parameters in links are OK imho to  
display an error page if they are incorrect, after all, if the user edits  
the get or post parameters, well...

In response to

pgsql-performance by date

Next:From: Merlin MoncureDate: 2004-11-23 17:06:47
Subject: Re: [pgsql-hackers-win32] scalability issues on win32
Previous:From: Alexandre LeclercDate: 2004-11-23 16:29:45
Subject: Re: Data type to use for primary key

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group