Обсуждение: [DOCS] Further Clarification request

Поиск
Список
Период
Сортировка

[DOCS] Further Clarification request

От
jym@outlook.com
Дата:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.6/static/sql-prepare.html
Description:

https://www.postgresql.org/docs/9.6/static/sql-prepare.html

The first example:  I'd like to see Hunter's Valley in the execute line as
escaping isn't mentioned on the page or its links.
Just a suggestion to help us beginners understand how things work.

Re: [DOCS] Further Clarification request

От
"David G. Johnston"
Дата:
On Wed, Aug 9, 2017 at 6:25 AM, <jym@outlook.com> wrote:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.6/static/sql-prepare.html
Description:

https://www.postgresql.org/docs/9.6/static/sql-prepare.html

The first example:  I&#39;d like to see Hunter&#39;s Valley in the execute line as
escaping isn&#39;t mentioned on the page or its links.
Just a suggestion to help us beginners understand how things work.

​This is one of hundreds of documentation examples that include literals.  Why is this one special that it needs to provide an example of a literal containing ​a single quote that requires escaping?

The SQL Command section of the docs properly presumes the reader has significant familiarity with writing SQL queries in PostgreSQL and is looking either for understanding what the different kinds of commands are or, more commonly, needs a refresher as to the exact syntax for less often used commands.  

More precisely, the vast majority of the docs assume you've read "Chapter 4. SQL Syntax".

David J.

Re: [DOCS] Further Clarification request

От
Jym Morton
Дата:

Mr. Johnston,

 

Q.  “Why is this one special that it needs to provide an example of a literal containing a single quote that requires escaping?”

 

A. Because it’s the one I was reading.

When I write software, and use a database I don’t need to escape literals if I have a Prepared Statement.  This is a major reason some of us use Prepared Statements.   So, when I looked at this page, I was unclear about was whether it or not I had to do it. 

 

Comment “The SQL Command section of the docs properly presumes the reader has significant familiarity with writing SQL queries in PostgreSQL”

 

Response. I am quite competent in writing SQL just not ‘in’ PostgreSQL and that’s the reason I was reading the manual.  I have made numerous pieces of software that use PostgreSQL as a backend.

 

Comment “More precisely, the vast majority of the docs assume you've read "Chapter 4. SQL Syntax".”

 

Response: I don’t have any issue with SQL Syntax. 

 

If the point of the Manual is to help people, maybe you shouldn’t be the one answering questions, you don’t seem to have the social skills needed.  Your response is arrogant, uncalled for and seemingly bitter.  It equivalent to me pointing out to you that “More precisely, the vast majority of the docs assume you've read "Chapter 4. SQL Syntax". “ is one of the most ridiculous comments ever written.  Unless the vast majority of the docs are sentient beings they can not assume.

 

 

From: David G. Johnston [mailto:david.g.johnston@gmail.com]
Sent: August 9, 2017 5:21 PM
To: jym@outlook.com
Cc: pgsql-docs@postgresql.org
Subject: Re: [DOCS] Further Clarification request

 

On Wed, Aug 9, 2017 at 6:25 AM, <jym@outlook.com> wrote:

The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/9.6/static/sql-prepare.html
Description:

https://www.postgresql.org/docs/9.6/static/sql-prepare.html

The first example:  I&#39;d like to see Hunter&#39;s Valley in the execute line as
escaping isn&#39;t mentioned on the page or its links.
Just a suggestion to help us beginners understand how things work.

 

​This is one of hundreds of documentation examples that include literals.  Why is this one special that it needs to provide an example of a literal containing ​a single quote that requires escaping?

 

The SQL Command section of the docs properly presumes the reader has significant familiarity with writing SQL queries in PostgreSQL and is looking either for understanding what the different kinds of commands are or, more commonly, needs a refresher as to the exact syntax for less often used commands.  

 

More precisely, the vast majority of the docs assume you've read "Chapter 4. SQL Syntax".

 

David J.

 

Re: [DOCS] Further Clarification request

От
"David G. Johnston"
Дата:
On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <jym@outlook.com> wrote:

When I write software, and use a database I don’t need to escape literals if I have a Prepared Statement.  This is a major reason some of us use Prepared Statements.   So, when I looked at this page, I was unclear about was whether it or not I had to do it. 


(​pseudo-code)​
PREPARE 'SELECT $1';
EXECTUE ('; TRUNCATE pg_catalog');

PostgreSQL is going to ensure the "; TRUCATE pg_catalog" is considered a single literal value when it execute SELECT $1 and so the final result is that you get a 1x1 result with the text "; TRUNCATE pg_catalog" instead of a broken database.  That is the major reason I use prepared statements, to prevent SQL-injection.

You still have write the literal value within EXECUTE in a manner that PostgreSQL can parse the command.  That is why you must escape a single quote in the value otherwise that single quote will mark the end of the literal and the statement will provoke a syntax error.

EXECUTE ('; bob's niece is 4 years old'); -- '; bob' is the literal and the stray "s" will a problem.  Chapter 4 covers this dynamic.

There is no material difference compared to the rules to write:

SELECT 'bob''s niece is 4 years old';

and none of the examples on the SELECT page use a literal value with an embedded single quote...

 

Comment “More precisely, the vast majority of the docs assume you've read "Chapter 4. SQL Syntax".”

 

Response: I don’t have any issue with SQL Syntax. 


​​
​I'm sorry but your 
​suggestion is to have this page of the documentation help clarify a point of SQL syntax with which you were unfamiliar.  In may be PostgreSQL's particular flavor of SQL that is in question here but it is still properly called SQL syntax.
 

​​
 Unless the vast majority of the docs are sentient beings they can not assume. 


​Ok, so "the writers of" the documentation assume some level of knowledge for the reader so that they can avoid being repetitive.  You may disagree with what is assumed but I stand by my opinion that whomever wrote this example did not need to consider that their example would be improved if they used a value that required escaping.

Ultimately, if someone wanted to act on your suggestion it wouldn't bother me.  But I see no systematic problem with this example.

David J.

Re: [DOCS] Further Clarification request

От
"David G. Johnston"
Дата:
On Wed, Aug 9, 2017 at 4:03 PM, David G. Johnston <david.g.johnston@gmail.com> wrote:
On Wed, Aug 9, 2017 at 3:21 PM, Jym Morton <jym@outlook.com> wrote:

When I write software, and use a database I don’t need to escape literals if I have a Prepared Statement.  This is a major reason some of us use Prepared Statements.   So, when I looked at this page, I was unclear about was whether it or not I had to do it. 


(​pseudo-code)​
PREPARE 'SELECT $1';
EXECTUE ('; TRUNCATE pg_catalog');


​To be clear - you only need to escape the single quote once - to write the original literal.

EXECUTE ('bob''s niece')​ -- bob's niece, with no risk of SQL injection

David J.