Comments on: waiting for 8.4 http://www.depesz.com/index.php/2008/04/02/waiting-for-84-3/ Thu, 29 Jul 2010 21:40:44 +0000 hourly 1 http://wordpress.org/?v=3.0 By: dynamic SQL parameters in PL/PgSQL functions « imitatio creatio http://www.depesz.com/index.php/2008/04/02/waiting-for-84-3/comment-page-1/#comment-29553 dynamic SQL parameters in PL/PgSQL functions « imitatio creatio Mon, 08 Mar 2010 13:23:07 +0000 http://www.depesz.com/?p=1189#comment-29553 [...] course depesz wrote about it. And I did read it; But still (by routine) I was using something [...] [...] course depesz wrote about it. And I did read it; But still (by routine) I was using something [...]

]]> By: jdbo http://www.depesz.com/index.php/2008/04/02/waiting-for-84-3/comment-page-1/#comment-25704 jdbo Thu, 03 Apr 2008 02:07:46 +0000 http://www.depesz.com/?p=1189#comment-25704 That's a wonderful addition - but is there any possibility of this being made even more flexible in regards to the assigned parameters? For example, I can imagine a function that would create (and then execute) a few different variations on a query - with each variation using different parameters. Right now, each query variation would require a distinct EXECUTE USING statement that explicitly notes the parameters being passed in. However, if there was some way to pass the parameters as an array (or other complex variable, perhaps a record), then EXECUTE using becomes a much more general-purpose tool, further encouraging its use. While this treads near the "dangerous waters" territory of SQL queries and parameters being passed around between functions, I think that everything that can be done to encourage safe avodiance of SQL injection (which EXECUTE functionality is oh-so-vulnerable to) as an improvement. That’s a wonderful addition – but is there any possibility of this being made even more flexible in regards to the assigned parameters?

For example, I can imagine a function that would create (and then execute) a few different variations on a query – with each variation using different parameters.

Right now, each query variation would require a distinct EXECUTE USING statement that explicitly notes the parameters being passed in.

However, if there was some way to pass the parameters as an array (or other complex variable, perhaps a record), then EXECUTE using becomes a much more general-purpose tool, further encouraging its use.

While this treads near the “dangerous waters” territory of SQL queries and parameters being passed around between functions, I think that everything that can be done to encourage safe avodiance of SQL injection (which EXECUTE functionality is oh-so-vulnerable to) as an improvement.

]]> By: Chris http://www.depesz.com/index.php/2008/04/02/waiting-for-84-3/comment-page-1/#comment-25699 Chris Wed, 02 Apr 2008 17:17:42 +0000 http://www.depesz.com/?p=1189#comment-25699 This is long overdue. I'm glad to see a lot of progress already into the 8.4 branch with 8.3 having been released so recently. Kudos! This is long overdue. I’m glad to see a lot of progress already into the 8.4 branch with 8.3 having been released so recently. Kudos!

]]> By: darh|blog http://www.depesz.com/index.php/2008/04/02/waiting-for-84-3/comment-page-1/#comment-25697 darh|blog Wed, 02 Apr 2008 15:32:59 +0000 http://www.depesz.com/?p=1189#comment-25697 [...] version of PostgreSQL. Depesz is blogging about new and existing features, like the latest - "placeholders" in stored procedures for safer and cleaner code. Posted by Denis Arh Comments: (0) Trackbacks: [...] [...] version of PostgreSQL. Depesz is blogging about new and existing features, like the latest – "placeholders" in stored procedures for safer and cleaner code. Posted by Denis Arh Comments: (0) Trackbacks: [...]

]]> By: Russ Brown http://www.depesz.com/index.php/2008/04/02/waiting-for-84-3/comment-page-1/#comment-25694 Russ Brown Wed, 02 Apr 2008 14:23:14 +0000 http://www.depesz.com/?p=1189#comment-25694 Just wanted to thank you for this line of blogging: I'm very much enjoying it. Apart from beginning able to see the new features (even the small ones) with examples, it's nice knowing that progress is being made towards 8.4 on such a regular basis (and so soon). Thanks! Just wanted to thank you for this line of blogging: I’m very much enjoying it. Apart from beginning able to see the new features (even the small ones) with examples, it’s nice knowing that progress is being made towards 8.4 on such a regular basis (and so soon).

Thanks!

]]>