[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SQL injection with guile-pg

From: Greg Troxel
Subject: Re: SQL injection with guile-pg
Date: 15 Feb 2005 09:41:11 -0500
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

I wasn't suggesing client-side caching; I agree that it seems not
worthwhile, at least now.

Bound parameters have two benefits, and a third in the guile-pg world:

  security (avoiding SQL injection)

  enabling server-side query caching since the variables are not part
  of the query proper any more

  [guile-pg] a path to automatic type conversion from Scheme->SQL, and
  easier explicit type conversion

In PG 7.4.6 docs, see section 27.2, PQexecParams.
Just adding a wrapper for that would be a big step forward.

Then I guess PQexecPrepared would be next; it's almost like
PGexecParams.  While one is supposed to just do a PQexec of a SQL
PREPARE statement, it might be nice to have a pq-prepare Scheme
procedure that returns the prepared name in a boxed type and make
PQexecPrepared require that, adding a bit more type safety than pg/SQL
has to start with.

The docs talk about the parameter types being known after the
statement is prepared.  If these can be extracted and put in the boxed
type with the query name, then the list of scheme params could be
converted to them via the registered type converters, and that would
be a very nice interface.

        Greg Troxel <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]