>
>> I'm porting this program from PHP. It's a US Census browser, if you're
>> curious: http://census.7gf.org . Anyway, it's basically one table and a
>> huge pile of indexes and some set queries. Each page there is just a
>> different query or two. I got through the front page and the about page
>> with Seaside and PostgresV3 and it works great, but now I need to handle a
>> query with the state as a parameter. In PHP (and JDBC, and Python's DBAPI),
>> I can say "SELECT * FROM places WHERE state = ? ORDER BY population DESC"
>> and then supply an array with the state in it, which fills in the '?' in
>> the query.
>>
>
Hi Daniel,
The sentence above could be a huge difference:
"SELECT * FROM places WHERE state = ? ORDER BY population DESC"
One thing is a prepared statement. That means....the database can compile
the query in advance, then reuse it later and then when you execute it all
it does is to bind variables to arguments. This is mostly for performance
reason. If you want this, no, as far as I remember, openDBX driver does not
support prepared statements right now.
If you simply mean to write the above in smalltalk code, then that's very
easy:
'SELECT * FROM places WHERE state = {1} ORDER BY {2} DESC' format: #('FL' '
population')
and that answers
'SELECT * FROM places WHERE state = FL ORDER BY population DESC'
but this is only at Smalltalk code, just an API facility. It has nothing to
do with prepared statement. The database will directly receive the query.
Regarding the SQL injection, yes, we didn't implement the one provided by
OpenDBX, but you can give it a try yourself....but you would need to
recompile stuff.
Also, as mentioned by Joachim, if you use Glorp, you are not likely to
write the queries yourself..so at least that helps... but I don't know if
Glorp provides something extra for sql injection. You could ask in glorp
google group.
Cheers,
--
Mariano
http://marianopeck.wordpress.com
