On Sun, 13 Apr 2008 10:03:48 +0800 Craig Ringer <craig@xxxxxxxxxxxxxxxxxxxxx> wrote: > Your wrapper code can potentially do things like scan a string for > semicolons not enclosed in single or double quotes. The rule > probably has to be a little more complex than that, and has to > handle escaped quotes, but it might achieve what you want. I think this logic is already somewhere in the driver or the pg engine. Whatever you write at the application level a) risk to be a duplication of part of the parser b) risk to be less smart than the parser itself and let slip something. > Personally I doubt it's worth it for the questionable benefits > gained over following a strong coding standard and having good code > review. > I do think that for web scripting users it would be nice for DB > drivers to optionally throw an error if an execute call passes more > than one statement. Your problem would be that it'd need to be an > option that affects the whole app instance for it to achieve what > you want without developer action, and a global option like that > would potentially break 3rd party application code. The alternative > would be something like an executeSingle(...) call or a flag to > execute ... but that again just comes back to proper code review to > ensure it's used. Why does it have to be "global", couldn't it be "by connection" or "by call to pg_query"? On Sun, 13 Apr 2008 00:13:49 +0100 Sam Mason <sam@xxxxxxxxxxxxx> wrote: > On Sat, Apr 12, 2008 at 11:06:42PM +0200, Ivan Sergio Borgonovo > wrote: > > But what about already written code that use pg_query? > > If you rewrite the database interface then it doesn't matter, the > calls to pg_query will end up being calls to prepare/execute > underneath so you'll have their protection. If you mean that Sorry to everybody for not testing first what you were suggesting in chorus. function test_me() { $result=pg_prepare("tonno"," select ItemID from catalog_items limit 1; create table tonno(au int);"); $result=pg_execute("tonno"); return "pippo"; } Query failed: ERROR: cannot insert multiple commands into a prepared statement in ... Not something easy to deploy after the cats are out, but at least I've learnt something. thanks -- Ivan Sergio Borgonovo http://www.webthatworks.it