Re: Arrays with Rails? - Mailing list pgsql-general

On Fri, 13 Apr 2007 12:15:30 +0200, Alexander Presber
<aljoscha@weisshuhn.de> wrote:

> Listmail schrieb:
>>     Then, other languages will make you feel the pain of having to
>> quote all your arguments YOURSELF and provide all results as string.
>>     The most famous offender is PHP (this causes countless security
>> holes).
>>     I partially did this for PHP. It's a lifesaver. No more
>> addslashes() ! Yay !
>
> What about PEAR MDB2?
> http://pear.php.net/manual/en/package.database.mdb2.php
>
> Is it any good?
>
> Cheers, Alex

    Well, the problem with a lot of PHP libraries is that they are written by
people who don't think.

    Python's interface for doing a query in your code is close to the ideal,
which should be something like that :
    query( "SELECT * FROM duhhh WHERE id=%s AND date < %s", id, date )
    (python's API has an extra set of () and it also takes named parameters )

    If id is an python integer and date a python datetime object, format
conversion is automatic.
    If they are not, first they should be, but whatever error the programmer
makes DOES NOT make a SQL injection. At most psql will complain that you
try to compare a date with something that is not a date, but you don't get
hacked, since in order to put an un-quoted argument into the SQL you have
to do it really on purpose.

    Now, I use many database queries in my web applications (so does
everyone), therefore I consider a system that needs me to type a lot of
crap in order to work is DUMB.

    PEAR::DB2 says :

$query = 'INSERT INTO tablename (id, itemname, saved_time) VALUES ('
     . $mdb2->quote($id,   'integer')   .', '
     . $mdb2->quote($name, 'text')      .', '
     . $mdb2->quote($time, 'timestamp') .')';
$res =& $mdb2->query($query);

    As you see,
    - it's a lot less compact and readable
    - it's a pain to use, so I will copypaste code, which is the GREAT EVIL
and a good source of bugs
    - you have to repeat the variable types (who cares ?)
    - if I am not well awake I may forget to type that crap because I'm sure
the variable is an integer, why bother (but am I really sure ? => get
hacked)

    Since PHP has no type for date, a much better way of doing this would be :

    query( "INSERT INTO ... VALUES %s,%s,%s", $id, $name,
DB::datetime( $timestamp ) )
    with all the basic types being quoted as they come (ie like a string
since postgres doesn't care between 1 and '1'), and a few adapters for
other types (like date).

    Also the ORM part of PEAR::DB2 is braindead since the field specifiers
are not objects that you can custmize and derive...