On Mar 15, 2007, at 11:31 , Ron Mayer wrote:
> Josh Berkus wrote:
>>> And then what? dynamically construct all your SQL queries?
>>> Sure, sounds like a simple solution to me...
>>
>> Not to mention DB security issues. How do you secure your
>> database when
>> your web client has DDL access?
>>
>> So, Edward, the really *interesting* idea would be to come up with a
>> secure, normalized way to do UDFs *without* EAV tables. People
>> would be
>> very impressed.
>>
>
> I have a system with many essentially user-defined fields, and was
> thinking of creating something similar to an Array type and writing
> some GIST indexes for it.
>
> My current workaround is to store them as a YAML document and use
> tsearch to index it (with application logic to further refine the
> results) - but a EAV datatype that could be put in tables and
> effectively indexed would be of quite a bit of interest here.
> And yes, a better say to do UDFs would be even cooler.
Out of all the databases that I have used, postgresql offers the most
flexible DDL- mostly for one reason: they can operate within
transactions.
To handle arbitrary strings as column identifiers, the column names
could actually be stripped down to lower-case letters and the "real
title" could be stored in a separate table or as column comments.
Mr. Berkus' concern regarding the security implications is already
handled by privilege separation or security-definer functions.
The OP's concern about the difficulty about querying a schema
structure is alleviated via any number of APIs in Perl, JDBC, etc.
It seems to me that postgresql is especially well-suited to run DDL
at runtime, so what's the issue?
-M