Re: RfD: more powerful "any" types

On Sep 14, 2009, at 1:02 PM, Pavel Stehule wrote:

> 2009/9/14 Merlin Moncure <mmoncure(at)gmail(dot)com>:
>> On Mon, Sep 14, 2009 at 1:42 PM, Pavel Stehule
>> <pavel(dot)stehule(at)gmail(dot)com> wrote:
>>>> How is it any worse than what people can already do? Anyone who
>>>> isn't aware
>>>> of the dangers of SQL injection has already screwed themselves.
>>>> You're
>>>> basically arguing that they would put a variable inside of
>>>> quotes, but they
>>>> would never use ||.
>>>
>>> simply - people use functions quote_literal or quote_ident.
>>
>> you still have use of those functions:
>> execute sprintf('select * from %s', quote_ident($1));
>>
>> sprintf is no more or less dangerous than || operator.
>
> sure. I commented different feature
>
> some := 'select * from $1'
>
> regards
> Pavel
>
> p.s. In this case, I am not sure what is more readable:
>
> execute 'select * from ' || quote_ident($1)
>
> is readable well too.

Ahh... the problem is one of fixating on an example instead of the
overall use case.

More examples...

RETURN 'Your account is now $days_overdue days overdue. Please
contact your account manager ($manager_name) to ...';

And an example of how readability would certainly be improved...

sql := $$INSERT INTO cnu_stats.$$ || v_field_name || $$( $$ ||
v_field_name || $$ )
SELECT DISTINCT $$ || v_field_name || $$
FROM chunk t
WHERE NOT EXISTS( SELECT * FROM cnu_stats.$$ || v_field_name
|| $$ s WHERE s.$$
|| v_field_name || $$ = t.$$ || v_field_name || $$ )$$

becomes

sql := $$INSERT INTO cnu_stats.${v_field_name} ( ${v_field_name} )
SELECT DISTINCT $v_field_name
FROM chunk t
WHERE NOT EXISTS( SELECT * FROM cnu_stats.${v_field_name} s
WHERE s.${v_field_name} = t.$
{v_field_name} )$$

Granted, that example wouldn't be too bad with sprintf, but only
because everything is referencing the same field.
--
Decibel!, aka Jim C. Nasby, Database Architect decibel(at)decibel(dot)org
Give your computer some brain candy! www.distributed.net Team #1828