[Libpqxx-general] Prepared statements, cursors, and quoting

[Jeroen T. Vermeulen]

Hello Scott,

On Thu, September 6, 2007 04:41, Scott Gifford wrote:

> I wasn't able to find a way to use a prepared statement to create a
> cursor.  pqxx::prepare::invocation doesn't seem to have a method to
> return a cursor instead of a pqxx::result object, and
> pqxx::icursorstream::icursorstream doesn't seem to have a constructor
> that takes any kind of prepared statement.
>
> Is it possible to use a prepared statement with a cursor?

To be honest it never occurred to me that it'd make sense to anyone...  If
you know the name of the cursor, you can wrap it in a cursor object (an
"adopted" cursor in libpqxx terms) and then use that.  But again it hadn't
occurred to me that anyone would want to do that for an icursorstream!


> However, I'm having some trouble figuring out how to quote strings
> like this.  The string escaping mechanism seems to be the "esc" method
> of pqxx::transaction_base, but since I'm constructing the query string
> before starting the transaction I don't have a way to access this.  Is
> there another way?

Maybe connection_base::esc() should be public.  It does the same thing,
after all.

The reason not do to that before was that in principle, if you don't have
an ongoing transaction, it's possible for the connection to be
transparently re-established between the moment you escape your string and
the moment you use the result.  If the re-established connection ends up
being in a different encoding than the original one, your string might be
escaped in the wrong encoding which could be a security hole.

But perhaps that's a bit far-fetched.  It'd be a very strange thing for
encodings to change like that, except if your application changed the
client encoding in which case the reconnection code would restore your
setting anyway.


Jeroen